Amazon Bedrock AgentCore Data Plane Fronting Layer

2025/10/13 - Amazon Bedrock AgentCore Data Plane Fronting Layer - 1 new2 updated api methods

Changes  Updated InvokeAgentRuntime API to accept account id optionally and added CompleteResourceTokenAuth API.

CompleteResourceTokenAuth (new) Link ¶

Confirms the user authentication session for obtaining OAuth2.0 tokens for a resource.

See also: AWS API Documentation

Request Syntax

client.complete_resource_token_auth(
    userIdentifier={
        'userToken': 'string',
        'userId': 'string'
    },
    sessionUri='string'
)
type userIdentifier:

dict

param userIdentifier:

[REQUIRED]

The OAuth2.0 token or user ID that was used to generate the workload access token used for initiating the user authorization flow to retrieve OAuth2.0 tokens.

  • userToken (string) --

    The OAuth2.0 token issued by the user’s identity provider

  • userId (string) --

    The ID of the user for whom you have retrieved a workload access token for

type sessionUri:

string

param sessionUri:

[REQUIRED]

Unique identifier for the user's authentication session for retrieving OAuth2 tokens. This ID tracks the authorization flow state across multiple requests and responses during the OAuth2 authentication process.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

GetResourceOauth2Token (updated) Link ¶
Changes (request, response)
Request 
{'customState': 'string', 'sessionUri': 'string'}
Response 
{'sessionStatus': 'IN_PROGRESS | FAILED', 'sessionUri': 'string'}

Returns the OAuth 2.0 token of the provided resource.

See also: AWS API Documentation

Request Syntax

client.get_resource_oauth2_token(
    workloadIdentityToken='string',
    resourceCredentialProviderName='string',
    scopes=[
        'string',
    ],
    oauth2Flow='USER_FEDERATION'|'M2M',
    sessionUri='string',
    resourceOauth2ReturnUrl='string',
    forceAuthentication=True|False,
    customParameters={
        'string': 'string'
    },
    customState='string'
)
type workloadIdentityToken:

string

param workloadIdentityToken:

[REQUIRED]

The identity token of the workload from which you want to retrieve the OAuth2 token.

type resourceCredentialProviderName:

string

param resourceCredentialProviderName:

[REQUIRED]

The name of the resource's credential provider.

type scopes:

list

param scopes:

[REQUIRED]

The OAuth scopes being requested.

  • (string) --

type oauth2Flow:

string

param oauth2Flow:

[REQUIRED]

The type of flow to be performed.

type sessionUri:

string

param sessionUri:

Unique identifier for the user's authentication session for retrieving OAuth2 tokens. This ID tracks the authorization flow state across multiple requests and responses during the OAuth2 authentication process.

type resourceOauth2ReturnUrl:

string

param resourceOauth2ReturnUrl:

The callback URL to redirect to after the OAuth 2.0 token retrieval is complete. This URL must be one of the provided URLs configured for the workload identity.

type forceAuthentication:

boolean

param forceAuthentication:

Indicates whether to always initiate a new three-legged OAuth (3LO) flow, regardless of any existing session.

type customParameters:

dict

param customParameters:

A map of custom parameters to include in the authorization request to the resource credential provider. These parameters are in addition to the standard OAuth 2.0 flow parameters, and will not override them.

  • (string) --

    • (string) --

type customState:

string

param customState:

An opaque string that will be sent back to the callback URL provided in resourceOauth2ReturnUrl. This state should be used to protect the callback URL of your application against CSRF attacks by ensuring the response corresponds to the original request.

rtype:

dict

returns:

Response Syntax

{
    'authorizationUrl': 'string',
    'accessToken': 'string',
    'sessionUri': 'string',
    'sessionStatus': 'IN_PROGRESS'|'FAILED'
}

Response Structure

  • (dict) --

    • authorizationUrl (string) --

      The URL to initiate the authorization process, provided when the access token requires user authorization.

    • accessToken (string) --

      The OAuth 2.0 access token to use.

    • sessionUri (string) --

      Unique identifier for the user's authorization session for retrieving OAuth2 tokens. This matches the sessionId from the request and can be used to track the session state.

    • sessionStatus (string) --

      Status indicating whether the user's authorization session is in progress or has failed. This helps determine the next steps in the OAuth2 authentication flow.

InvokeAgentRuntime (updated) Link ¶
Changes (request) 
{'accountId': 'string'}

Sends a request to an agent or tool hosted in an Amazon Bedrock AgentCore Runtime and receives responses in real-time.

To invoke an agent you must specify the AgentCore Runtime ARN and provide a payload containing your request. You can optionally specify a qualifier to target a specific version or endpoint of the agent.

This operation supports streaming responses, allowing you to receive partial responses as they become available. We recommend using pagination to ensure that the operation returns quickly and successfully when processing large responses.

For example code, see Invoke an AgentCore Runtime agent.

If you're integrating your agent with OAuth, you can't use the Amazon Web Services SDK to call InvokeAgentRuntime. Instead, make a HTTPS request to InvokeAgentRuntime. For an example, see Authenticate and authorize with Inbound Auth and Outbound Auth.

To use this operation, you must have the bedrock-agentcore:InvokeAgentRuntime permission. If you are making a call to InvokeAgentRuntime on behalf of a user ID with the X-Amzn-Bedrock-AgentCore-Runtime-User-Id header, You require permissions to both actions ( bedrock-agentcore:InvokeAgentRuntime and bedrock-agentcore:InvokeAgentRuntimeForUser).

See also: AWS API Documentation

Request Syntax

client.invoke_agent_runtime(
    contentType='string',
    accept='string',
    mcpSessionId='string',
    runtimeSessionId='string',
    mcpProtocolVersion='string',
    runtimeUserId='string',
    traceId='string',
    traceParent='string',
    traceState='string',
    baggage='string',
    agentRuntimeArn='string',
    qualifier='string',
    accountId='string',
    payload=b'bytes'|file
)
type contentType:

string

param contentType:

The MIME type of the input data in the payload. This tells the agent runtime how to interpret the payload data. Common values include application/json for JSON data.

type accept:

string

param accept:

The desired MIME type for the response from the agent runtime. This tells the agent runtime what format to use for the response data. Common values include application/json for JSON data.

type mcpSessionId:

string

param mcpSessionId:

The identifier of the MCP session.

type runtimeSessionId:

string

param runtimeSessionId:

The identifier of the runtime session.

This field is autopopulated if not provided.

type mcpProtocolVersion:

string

param mcpProtocolVersion:

The version of the MCP protocol being used.

type runtimeUserId:

string

param runtimeUserId:

The identifier of the runtime user.

type traceId:

string

param traceId:

The trace identifier for request tracking.

type traceParent:

string

param traceParent:

The parent trace information for distributed tracing.

type traceState:

string

param traceState:

The trace state information for distributed tracing.

type baggage:

string

param baggage:

Additional context information for distributed tracing.

type agentRuntimeArn:

string

param agentRuntimeArn:

[REQUIRED]

The Amazon Web Services Resource Name (ARN) of the agent runtime to invoke. The ARN uniquely identifies the agent runtime resource in Amazon Bedrock.

type qualifier:

string

param qualifier:

The qualifier to use for the agent runtime. This can be a version number or an endpoint name that points to a specific version. If not specified, Amazon Bedrock uses the default version of the agent runtime.

type accountId:

string

param accountId:

The identifier of the Amazon Web Services account for the agent runtime resource.

type payload:

bytes or seekable file-like object

param payload:

[REQUIRED]

The input data to send to the agent runtime. The format of this data depends on the specific agent configuration and must match the specified content type. For most agents, this is a JSON object containing the user's request.

rtype:

dict

returns:

Response Syntax

{
    'runtimeSessionId': 'string',
    'mcpSessionId': 'string',
    'mcpProtocolVersion': 'string',
    'traceId': 'string',
    'traceParent': 'string',
    'traceState': 'string',
    'baggage': 'string',
    'contentType': 'string',
    'response': StreamingBody(),
    'statusCode': 123
}

Response Structure

  • (dict) --

    • runtimeSessionId (string) --

      The identifier of the runtime session.

    • mcpSessionId (string) --

      The identifier of the MCP session.

    • mcpProtocolVersion (string) --

      The version of the MCP protocol being used.

    • traceId (string) --

      The trace identifier for request tracking.

    • traceParent (string) --

      The parent trace information for distributed tracing.

    • traceState (string) --

      The trace state information for distributed tracing.

    • baggage (string) --

      Additional context information for distributed tracing.

    • contentType (string) --

      The MIME type of the response data. This indicates how to interpret the response data. Common values include application/json for JSON data.

    • response (:class:`.StreamingBody`) --

      The response data from the agent runtime. The format of this data depends on the specific agent configuration and the requested accept type. For most agents, this is a JSON object containing the agent's response to the user's request.

    • statusCode (integer) --

      The HTTP status code of the response. A status code of 200 indicates a successful operation. Other status codes indicate various error conditions.