Using Semantic Search Authentication for MCP Requests

Using a Gateway with MCP

Gateway implements the Model Context Protocol (MCP), which provides a standardized way for agents to discover and invoke tools. Gateway is compatible with MCP clients that implement this specification.

The gateway exposes two main MCP operations:

tools/list: Lists all available tools provided by the gateway
tools/call: Invokes a specific tool with the provided arguments

Gateway also provides a built-in semantic search capability through the x_amz_bedrock_agentcore_search tool, which helps agents find the most relevant tools for specific tasks without needing to know all available tools.

Using Semantic Search

The semantic search tool allows agents to discover relevant tools based on natural language queries. This is particularly useful when you have many tools and want the agent to automatically find the most appropriate ones.


# Example: Using semantic search to find relevant tools
import json
from mcp import ClientSession
from mcp.client.streamable_http import streamablehttp_client

async def search_tools(gateway_url, access_token, query):
    headers = {"Authorization": f"Bearer {access_token}"}
    async with streamablehttp_client(gateway_url, headers=headers) as (read, write, _):
        async with ClientSession(read, write) as session:
            await session.initialize()
            
            # Use the built-in search tool
            response = await session.call_tool(
                "x_amz_bedrock_agentcore_search",
                arguments={"query": query}
            )
            
            # Parse the search results
            for content in response.content:
                results = json.loads(content.text)
                print(f"Found {len(results)} relevant tools for: {query}")
                for tool in results:
                    print(f"- {tool['name']}: {tool['description']}")

# Example usage
await search_tools(
    "https://gateway-id.gateway.bedrock-agentcore.us-west-2.amazonaws.com/mcp",
    "your-access-token",
    "How do I process images?"
)

To use these operations, you need to make HTTP requests to the gateway's MCP endpoint with the appropriate authentication.

Authentication for MCP Requests

Before making MCP requests to a gateway, you need to obtain an authentication token from the identity provider configured for the gateway's Inbound Auth. The process for obtaining a token depends on the identity provider:

For Amazon Cognito, you can use the OAuth 2.0 token endpoint with client credentials flow
For Auth0, you can use the OAuth 2.0 token endpoint with client credentials flow
For other identity providers, refer to their documentation for obtaining access tokens

Amazon Cognito Token Acquisition

For Amazon Cognito, use the OAuth 2.0 token endpoint with client credentials flow:


import requests
import base64

def get_cognito_access_token(client_id, client_secret, cognito_domain):
    credentials = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()
    
    response = requests.post(
        f"https://{cognito_domain}/oauth2/token",
        headers={
            "Authorization": f"Basic {credentials}",
            "Content-Type": "application/x-www-form-urlencoded"
        },
        data={"grant_type": "client_credentials"}
    )
    
    return response.json()["access_token"]

For detailed information on setting up authentication and obtaining tokens, see Prerequisites to set up a gateway.

Once you have an access token, include it in the Authorization header of your MCP requests:


Authorization: Bearer YOUR_ACCESS_TOKEN

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using a Gateway

Listing Available Tools