Amazon AppStream
Developer Guide

This documentation is for an older version of Amazon AppStream. For information about the latest version, see the Amazon AppStream 2.0 Developer Guide.

Building an Entitlement Service

An entitlement service authenticates and authorizes users. It is the gatekeeper between clients and your application, ensuring that only those clients entitled to access your application do so. Your entitlement service can authenticate users in a variety of ways: by comparing user login credentials to a list of subscribers in a database, by using an external login service such as Login with Amazon, or by simply authenticating all clients.

An entitlement service:

  1. Processes requests from clients to connect to your application.

  2. Authenticates user credentials.

  3. Checks whether the user is authorized to access your application.

  4. Calls into Amazon AppStream to create new client sessions for authorized users.

  5. Returns an entitlement URL to authorized clients that the client uses to access your application.

You can download a sample entitlement service from Sample Entitlement Service. To deploy the sample entitlement service on your own Amazon EC2 instance, see Design Considerations for Your Entitlement Service.

For more information about the lifecycle of a connection request, see How a Client Application Connects to the Streaming Application.


While you could implement the entitlement logic directly in the client, doing so is strongly discouraged because of the requirement to call into the Amazon AppStream service to create new sessions. It is more secure to have your AWS credentials built into a web service running on a server you control than compiled into client code running locally on end-user devices.