CustomJwtConfiguration

class aws_cdk.aws_bedrock_agentcore_alpha.CustomJwtConfiguration(*, discovery_url, allowed_audience=None, allowed_clients=None)

Bases: object

(experimental) Custom JWT authorizer configuration.

Parameters:

  • discovery_url (str) – (experimental) This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. Pattern: .+/.well-known/openid-configuration Required: Yes

  • allowed_audience (Optional[Sequence[str]]) – (experimental) Represents individual audience values that are validated in the incoming JWT token validation process. Default: - No audience validation

  • allowed_clients (Optional[Sequence[str]]) – (experimental) Represents individual client IDs that are validated in the incoming JWT token validation process. Default: - No client ID validation

Stability:

experimental

ExampleMetadata:

fixture=default infused

Example:

# Create a KMS key for encryption
encryption_key = kms.Key(self, "GatewayEncryptionKey",
    enable_key_rotation=True,
    description="KMS key for gateway encryption"
)

# Create gateway with KMS encryption
gateway = agentcore.Gateway(self, "MyGateway",
    gateway_name="my-encrypted-gateway",
    description="Gateway with KMS encryption",
    protocol_configuration=agentcore.McpProtocolConfiguration(
        instructions="Use this gateway to connect to external MCP tools",
        search_type=agentcore.McpGatewaySearchType.SEMANTIC,
        supported_versions=[agentcore.MCPProtocolVersion.MCP_2025_03_26]
    ),
    authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt(
        discovery_url="https://auth.example.com/.well-known/openid-configuration",
        allowed_audience=["my-app"],
        allowed_clients=["my-client-id"]
    ),
    kms_key=encryption_key,
    exception_level=agentcore.GatewayExceptionLevel.DEBUG
)

Attributes

allowed_audience

(experimental) Represents individual audience values that are validated in the incoming JWT token validation process.

Default:

  • No audience validation

Stability:

experimental

allowed_clients

(experimental) Represents individual client IDs that are validated in the incoming JWT token validation process.

Default:

  • No client ID validation

Stability:

experimental

discovery_url

(experimental) This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

Pattern: .+/.well-known/openid-configuration Required: Yes

Stability:

experimental