← Back to blog

OAuth 2.1 Dynamic Client Registration for AWS BedrockAgentCore

Jonathan Penny
Jonathan Penny ·

I built a CloudFormation template that adds OAuth 2.1 Dynamic Client Registration (DCR) to AWS BedrockAgentCore Gateway. It’s now open source: agentcore-dcr.

The Problem

AWS Cognito doesn’t support Dynamic Client Registration natively. But BedrockAgentCore Gateway requires pre-registered client IDs. Modern OAuth clients - including Claude Code and multi-tenant applications - expect to register automatically.

This gap between what users expect and what the platform provides was blocking adoption.

The Solution

A Lambda function that:

Implementation Gotchas

Client name sanitization: Cognito only permits [\w\s+=,.@-]+ characters. OAuth clients often include parentheses in names, so you need to clean them.

Gateway dependency: There’s a circular CloudFormation dependency issue. The fix is passing the gateway name as an environment variable and doing runtime lookups.

Undocumented API quirk: The list_gateways endpoint returns items, not gateways. Ask me how long that took to figure out.

Cost

About $9/month for 1,000 registrations. Cognito is the biggest expense (~$5.50).

Resources