OAuth 2.1 Dynamic Client Registration for AWS BedrockAgentCore

I built a CloudFormation template that adds OAuth 2.1 Dynamic Client Registration (DCR) to AWS BedrockAgentCore Gateway. It’s now open source: agentcore-dcr.

The Problem

AWS Cognito doesn’t support Dynamic Client Registration natively. But BedrockAgentCore Gateway requires pre-registered client IDs. Modern OAuth clients - including Claude Code and multi-tenant applications - expect to register automatically.

This gap between what users expect and what the platform provides was blocking adoption.

The Solution

A Lambda function that:

• Creates Cognito User Pool Clients on registration requests
• Automatically updates the Gateway’s AllowedClients list
• Sanitizes client metadata (Cognito has strict validation)
• Returns RFC-compliant registration responses
• Uses API Gateway mock integrations for OIDC discovery metadata

Implementation Gotchas

Client name sanitization: Cognito only permits [\w\s+=,.@-]+ characters. OAuth clients often include parentheses in names, so you need to clean them.

Gateway dependency: There’s a circular CloudFormation dependency issue. The fix is passing the gateway name as an environment variable and doing runtime lookups.

Undocumented API quirk: The list_gateways endpoint returns items, not gateways. Ask me how long that took to figure out.

Cost

About $9/month for 1,000 registrations. Cognito is the biggest expense (~$5.50).

Resources

• agentcore-dcr on GitHub
• Full discussion with implementation details
• RFC 7591 (OAuth DCR) and RFC 8414 (Server Metadata)