bedrock-agentcore 0.1.1 → 0.2.0

package/README.md

@@ -1,156 +1,136 @@
 <div align="center">
-  <div>
-    <a href="https://aws.amazon.com/bedrock/agentcore/">
-      <img width="150" height="150" alt="image" src="https://github.com/user-attachments/assets/b8b9456d-c9e2-45e1-ac5b-760f21f1ac18" />
-   </a>
-  </div>
-
-  <h1>
-    Bedrock AgentCore SDK
-  </h1>
-
-  <h2>
-    Deploy your local AI agent to Bedrock AgentCore with zero infrastructure
-  </h2>
-
-  <div align="center">
-    <a href="https://github.com/aws/bedrock-agentcore-sdk-typescript/graphs/commit-activity"><img alt="GitHub commit activity" src="https://img.shields.io/github/commit-activity/m/aws/bedrock-agentcore-sdk-typescript"/></a>
-    <a href="https://github.com/aws/bedrock-agentcore-sdk-typescript/issues"><img alt="GitHub open issues" src="https://img.shields.io/github/issues/aws/bedrock-agentcore-sdk-typescript"/></a>
-    <a href="https://github.com/aws/bedrock-agentcore-sdk-typescript/pulls"><img alt="GitHub open pull requests" src="https://img.shields.io/github/issues-pr/aws/bedrock-agentcore-sdk-typescript"/></a>
-    <a href="https://github.com/aws/bedrock-agentcore-sdk-typescript/blob/main/LICENSE"><img alt="License" src="https://img.shields.io/github/license/aws/bedrock-agentcore-sdk-typescript"/></a>
-    <a href="https://www.npmjs.com/package/bedrock-agentcore"><img alt="npm version" src="https://img.shields.io/npm/v/bedrock-agentcore"/></a>
-    <a href="https://nodejs.org"><img alt="Node.js versions" src="https://img.shields.io/node/v/bedrock-agentcore"/></a>
-  </div>
+  <a href="https://aws.amazon.com/bedrock/agentcore/">
+    <img width="150" height="150" alt="Bedrock AgentCore" src="https://github.com/user-attachments/assets/b8b9456d-c9e2-45e1-ac5b-760f21f1ac18" />
+  </a>
+
+  <h1>Bedrock AgentCore SDK for TypeScript</h1>
+
+  <p>Deploy AI agents to AWS with VM-level isolation and zero infrastructure</p>
 
   <p>
-  <a href="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/what-is-bedrock-agentcore.html">Documentation</a>
-    ◆ <a href="https://github.com/awslabs/amazon-bedrock-agentcore-samples">Samples</a>
-    ◆ <a href="https://discord.gg/bedrockagentcore-preview">Discord</a>
-    ◆ <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/bedrock-agentcore-control.html">AWS Boto3 SDK</a>
-    ◆ <a href="https://github.com/aws/bedrock-agentcore-sdk-python">Python SDK</a>
-    ◆ <a href="https://github.com/aws/bedrock-agentcore-sdk-typescript">TypeScript SDK</a>
-    ◆ <a href="https://github.com/aws/bedrock-agentcore-starter-toolkit">Starter Toolkit</a>
+    <a href="https://www.npmjs.com/package/bedrock-agentcore"><img alt="npm version" src="https://img.shields.io/npm/v/bedrock-agentcore"/></a>
+    <a href="https://www.typescriptlang.org/"><img alt="TypeScript" src="https://img.shields.io/badge/TypeScript-5.5+-blue"/></a>
+    <a href="https://nodejs.org/"><img alt="Node.js" src="https://img.shields.io/badge/Node.js-20+-green"/></a>
+    <a href="https://github.com/aws/bedrock-agentcore-sdk-typescript/blob/main/LICENSE"><img alt="License" src="https://img.shields.io/badge/License-Apache%202.0-blue"/></a>
+  </p>
 
+  <p>
+    <a href="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/what-is-bedrock-agentcore.html">Documentation</a>
+    &nbsp;&nbsp;|&nbsp;&nbsp;
+    <a href="https://github.com/awslabs/bedrock-agentcore-samples-typescript">Samples</a>
+    &nbsp;&nbsp;|&nbsp;&nbsp;
+    <a href="https://github.com/aws/bedrock-agentcore-sdk-python">Python SDK</a>
   </p>
 </div>
 
-## Overview
-Amazon Bedrock AgentCore enables you to deploy and operate highly effective agents securely, at scale using any framework and model. With Amazon Bedrock AgentCore, developers can accelerate AI agents into production with the scale, reliability, and security, critical to real-world deployment. AgentCore provides tools and capabilities to make agents more effective and capable, purpose-built infrastructure to securely scale agents, and controls to operate trustworthy agents. Amazon Bedrock AgentCore services are composable and work with popular open-source frameworks and any model, so you don’t have to choose between open-source flexibility and enterprise-grade security and reliability.
+---
 
-**What you get with Bedrock AgentCore:**
-- ✅ **Keep your agent logic** - Works with Strands, LangGraph, CrewAI, Autogen, custom frameworks
-- ✅ **Zero infrastructure management** - No servers, containers, or scaling concerns
-- ✅ **Enterprise-grade platform** - Built-in auth, memory, observability, security
-- ✅ **Production-ready deployment** - Reliable, scalable, compliant hosting
+## Why AgentCore?
 
-## Amazon Bedrock AgentCore services
-- 🚀 **Runtime** - Secure and session isolated compute: **[Runtime Quick Start](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-get-started-toolkit.html)**
-- 🧠 **Memory** - Persistent knowledge across sessions: **[Memory Quick Start](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/memory-get-started.html)**
-- 🔗 **Gateway** - Transform APIs into MCP tools: **[Gateway Quick Start](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-quick-start.html)**
-- 💻 **Code Interpreter** - Secure sandboxed execution: **[Code Interpreter Quick Start](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-getting-started.html)**
-- 🌐 **Browser** - Cloud-based web automation: **[Browser Quick Start](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/browser-onboarding.html)**
-- 📊 **Observability** - OpenTelemetry tracing: **[Observability Quick Start](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-get-started.html)**
-- 🔐 **Identity** - AWS & third-party auth: **[Identity Quick Start](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity-getting-started-cognito.html)**
+- **Zero infrastructure** — No servers to provision, no containers to manage, no scaling to configure.
+- **Session isolation** — Each agent session runs in its own VM. No shared state, no noisy neighbors.
+- **Long-lived sessions** — Sessions persist across requests. Your agent maintains context without external storage.
+- **Managed tools** — Secure code execution and browser automation, ready to use.
+- **Credential management** — Centralized API keys and OAuth tokens, injected at runtime.
 
-## ⚠️ TypeScript SDK Scope
+Works with [Strands Agents](https://strandsagents.com), [Vercel AI SDK](https://ai-sdk.dev), or any framework.
 
-This SDK currently provides Code Interpreter and Browser tools. Additional service integrations are on the roadmap.
+---
 
-## AgentCore Tools
+## Quick Start
 
-### 💻 Code Interpreter
-Execute Python, JavaScript, or TypeScript in a secure AWS-managed sandbox:
+```bash
+npm install bedrock-agentcore @strands-agents/sdk
+```
 
 ```typescript
-// Core client (framework-agnostic)
-import { CodeInterpreterClient } from 'bedrock-agentcore/code-interpreter'
-// Methods: startSession, stopSession, executeCode, writeFiles, readFiles, 
-// listFiles, deleteFiles, executeCommand
-```
+import { BedrockAgentCoreApp } from 'bedrock-agentcore/runtime'
+import { Agent, BedrockModel } from '@strands-agents/sdk'
+import { z } from 'zod'
 
-### 🌐 Browser
-Automate web browsing with cloud-based browser automation (compatible with Playwright, Puppeteer, and other browser automation SDKs):
+const agent = new Agent({
+  model: new BedrockModel({ modelId: 'global.amazon.nova-2-lite-v1:0' }),
+})
 
-```typescript
-// Playwright client (framework-agnostic)
-import { PlaywrightBrowser } from 'bedrock-agentcore/browser/playwright'
-// Methods: startSession, stopSession, navigate, click, fill, type, getText, 
-// getHtml, screenshot, evaluate, waitForSelector, back, forward
+const app = new BedrockAgentCoreApp({
+  invocationHandler: {
+    requestSchema: z.object({ prompt: z.string() }),
+    process: async function* (request) {
+      for await (const event of agent.stream(request.prompt)) {
+        if (event.delta?.text) yield { text: event.delta.text }
+      }
+    },
+  },
+})
+
+app.run()
 ```
 
-## AgentCore Tools with Vercel AI SDK
+`BedrockAgentCoreApp` creates an AgentCore Runtime-compliant server—handling request parsing, streaming responses, and session management for seamless deployment.
 
-Integrate Code Interpreter and Browser capabilities into your AI agents using the Vercel AI SDK.
+---
 
-### Installation
+## Tools
 
-```bash
-# Install the SDK
-npm install bedrock-agentcore
+Give your agent secure code execution with three lines:
 
-# Install AI SDK v6 (required), use any model provider
-npm install ai@beta @ai-sdk/amazon-bedrock@beta
+```typescript
+import { CodeInterpreterTools } from 'bedrock-agentcore/tools/code-interpreter/strands'
+import { Agent, BedrockModel } from '@strands-agents/sdk'
+
+const codeInterpreter = new CodeInterpreterTools({ region: 'us-east-1' })
+
+const agent = new Agent({
+  model: new BedrockModel({ modelId: 'global.amazon.nova-2-lite-v1:0' }),
+  tools: codeInterpreter.getTools(),
+})
 
-# Install Playwright (optional, only for Browser tools)
-npm install playwright
+// Agent can now execute code in a secure sandboxed environment
 ```
 
-**Prerequisites:**
-- Node.js >= 20.0.0
-- [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) with Bedrock AgentCore access
-- Access to any large language model like models available in AWS Bedrock
+---
 
+## Features
 
-### Integration
+- **Runtime** — Secure, session-isolated compute → [Examples](https://github.com/awslabs/bedrock-agentcore-samples-typescript/tree/main/primitives/runtime)
+- **Code Interpreter** — Execute Python/JS/TS in a sandbox → [Examples](https://github.com/awslabs/bedrock-agentcore-samples-typescript/tree/main/primitives/tools/code-interpreter)
+- **Browser** — Cloud-based web automation → [Examples](https://github.com/awslabs/bedrock-agentcore-samples-typescript/tree/main/primitives/tools/browser)
+- **Identity** — Manage API keys and OAuth tokens → [Examples](https://github.com/awslabs/bedrock-agentcore-samples-typescript/tree/main/primitives/identity)
+- **Memory** — Persistent knowledge across sessions (coming soon)
+- **Gateway** — Transform APIs into MCP tools (coming soon)
+- **Observability** — OpenTelemetry tracing (coming soon)
 
-```typescript
-import { bedrock } from '@ai-sdk/amazon-bedrock'
-import { ToolLoopAgent } from 'ai'
-import { CodeInterpreterTools } from 'bedrock-agentcore/code-interpreter/vercel-ai'
-import { BrowserTools } from 'bedrock-agentcore/browser/vercel-ai'
-
-const codeInterpreter = new CodeInterpreterTools()
-const browser = new BrowserTools()
-
-const agent = new ToolLoopAgent({
-  model: bedrock('global.anthropic.claude-sonnet-4-20250514-v1:0'),
-  tools: {
-    ...codeInterpreter.tools,
-    ...browser.tools,
-  },
-})
+---
 
-// Invoke the agent with any prompt
-const result = await agent.run({
-  prompt: 'Visit news.ycombinator.com, scrape the top 5 stories, and analyze sentiment',
-})
+## Installation
 
-console.log(result.text)
+```bash
+npm install bedrock-agentcore
 ```
 
-> **Note:** If deploying to Vercel, use [Vercel OIDC](https://vercel.com/docs/oidc/aws) for secure AWS credentials. 
 
-## Try Examples
+**Prerequisites:** Node.js 20+, [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html), [AgentCore access](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agentcore-regions.html)
 
-Run the standalone example:
-```bash
-npx tsx examples/agent-with-code-interpreter.ts
-```
+---
 
-Or try the Next.js app with streaming UI:
-```bash
-cd examples/deep-research-ui && npm install && npm run dev
-```
+## Deployment
+
+- [Sample Applications](https://github.com/awslabs/bedrock-agentcore-samples-typescript) — Working examples with deployment templates
+- [CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_BedrockAgentCore.html) — Infrastructure as code
+- [AWS CDK](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_bedrockagentcore-readme.html) — Infrastructure as code
+- [Deployment Guide](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/getting-started-custom.html) — Step-by-step walkthrough
+
+---
 
-## 🏗️ Deployment
+## Resources
 
-See [AWS setup guide](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/getting-started-custom.html) for getting started with agentcore.
+- [AgentCore Documentation](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/what-is-bedrock-agentcore.html)
+- [Python SDK](https://github.com/aws/bedrock-agentcore-sdk-python)
 
-**Production:** [AWS CDK](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_bedrockagentcore-readme.html).
+---
 
+## License
 
-## 📝 License & Contributing
+Apache 2.0 — see [LICENSE](LICENSE)
 
-- **License:** Apache 2.0 - see [LICENSE](LICENSE)
-- **Contributing:** See [CONTRIBUTING.md](CONTRIBUTING.md)
-- **Security:** See [SECURITY.md](SECURITY.md)
+[Contributing](CONTRIBUTING.md) · [Security](SECURITY.md)

package/dist/src/_utils/endpoints.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Utility functions for constructing AWS service endpoints.
+ */
+/**
+ * Gets the data plane endpoint for the Bedrock AgentCore service.
+ *
+ * The endpoint can be overridden using the BEDROCK_AGENTCORE_DATA_PLANE_ENDPOINT
+ * environment variable. Otherwise, it follows the standard AWS endpoint pattern.
+ *
+ * @param region - AWS region (e.g., 'us-west-2', 'us-east-1')
+ * @returns Full HTTPS endpoint URL
+ *
+ * @example
+ * ```typescript
+ * const endpoint = getDataPlaneEndpoint('us-west-2')
+ * // Returns: 'https://bedrock-agentcore.us-west-2.amazonaws.com'
+ * ```
+ *
+ * @example
+ * With environment variable override:
+ * ```typescript
+ * process.env.BEDROCK_AGENTCORE_DATA_PLANE_ENDPOINT = 'https://custom-endpoint.example.com'
+ * const endpoint = getDataPlaneEndpoint('us-west-2')
+ * // Returns: 'https://custom-endpoint.example.com'
+ * ```
+ */
+export declare function getDataPlaneEndpoint(region: string): string;
+//# sourceMappingURL=endpoints.d.ts.map

package/dist/src/_utils/endpoints.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"endpoints.d.ts","sourceRoot":"","sources":["../../../src/_utils/endpoints.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAc3D"}

package/dist/src/_utils/endpoints.js

@@ -0,0 +1,44 @@
+/**
+ * Utility functions for constructing AWS service endpoints.
+ */
+/**
+ * Environment variable for overriding the data plane endpoint.
+ */
+const ENDPOINT_OVERRIDE_ENV = 'BEDROCK_AGENTCORE_DATA_PLANE_ENDPOINT';
+/**
+ * Gets the data plane endpoint for the Bedrock AgentCore service.
+ *
+ * The endpoint can be overridden using the BEDROCK_AGENTCORE_DATA_PLANE_ENDPOINT
+ * environment variable. Otherwise, it follows the standard AWS endpoint pattern.
+ *
+ * @param region - AWS region (e.g., 'us-west-2', 'us-east-1')
+ * @returns Full HTTPS endpoint URL
+ *
+ * @example
+ * ```typescript
+ * const endpoint = getDataPlaneEndpoint('us-west-2')
+ * // Returns: 'https://bedrock-agentcore.us-west-2.amazonaws.com'
+ * ```
+ *
+ * @example
+ * With environment variable override:
+ * ```typescript
+ * process.env.BEDROCK_AGENTCORE_DATA_PLANE_ENDPOINT = 'https://custom-endpoint.example.com'
+ * const endpoint = getDataPlaneEndpoint('us-west-2')
+ * // Returns: 'https://custom-endpoint.example.com'
+ * ```
+ */
+export function getDataPlaneEndpoint(region) {
+    // Validate region is not empty
+    if (!region || region.trim() === '') {
+        throw new Error('Region cannot be empty');
+    }
+    // Check for environment variable override
+    const override = process.env[ENDPOINT_OVERRIDE_ENV];
+    if (override) {
+        return override;
+    }
+    // Return standard AWS endpoint pattern
+    return `https://bedrock-agentcore.${region}.amazonaws.com`;
+}
+//# sourceMappingURL=endpoints.js.map

package/dist/src/_utils/endpoints.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"endpoints.js","sourceRoot":"","sources":["../../../src/_utils/endpoints.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,qBAAqB,GAAG,uCAAuC,CAAA;AAErE;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc;IACjD,+BAA+B;IAC/B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;IAC3C,CAAC;IAED,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAA;IACnD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,uCAAuC;IACvC,OAAO,6BAA6B,MAAM,gBAAgB,CAAA;AAC5D,CAAC"}

package/dist/src/identity/client.d.ts

@@ -0,0 +1,40 @@
+/**
+ * IdentityClient for AgentCore Identity operations
+ */
+import type { OAuth2TokenRequest, ApiKeyRequest } from './types.js';
+/**
+ * Client for interacting with Amazon Bedrock AgentCore Identity service.
+ * Provides methods for managing workload identities, credential providers,
+ * and retrieving OAuth2 tokens and API keys.
+ */
+export declare class IdentityClient {
+    private readonly dataPlaneClient;
+    /**
+     * Creates a new IdentityClient instance
+     * @param region - AWS region (defaults to AWS_REGION env var)
+     * @throws Error if region cannot be determined
+     */
+    constructor(region?: string);
+    /**
+     * Retrieves an OAuth2 access token from AgentCore Identity.
+     * Handles both M2M (immediate) and USER_FEDERATION (polling) flows.
+     *
+     * @param request - OAuth2 token request parameters
+     * @returns OAuth2 access token
+     * @throws Error if token retrieval fails or times out
+     */
+    getOAuth2Token(request: OAuth2TokenRequest): Promise<string>;
+    /**
+     * Polls for OAuth2 token until available or timeout
+     */
+    private pollForToken;
+    /**
+     * Retrieves an API key from AgentCore Identity token vault.
+     *
+     * @param request - API key request parameters
+     * @returns API key string
+     * @throws Error if API key retrieval fails
+     */
+    getApiKey(request: ApiKeyRequest): Promise<string>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/src/identity/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/identity/client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAKnE;;;;GAIG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAwB;IAExD;;;;OAIG;gBACS,MAAM,CAAC,EAAE,MAAM;IAU3B;;;;;;;OAOG;IACG,cAAc,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC;IAsClE;;OAEG;YACW,YAAY;IA6B1B;;;;;;OAMG;IACG,SAAS,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;CAczD"}

package/dist/src/identity/client.js

@@ -0,0 +1,109 @@
+/**
+ * IdentityClient for AgentCore Identity operations
+ */
+import { BedrockAgentCoreClient, GetResourceOauth2TokenCommand, GetResourceApiKeyCommand, } from '@aws-sdk/client-bedrock-agentcore';
+const POLLING_INTERVAL_MS = 5000; // 5 seconds
+const POLLING_TIMEOUT_MS = 600000; // 10 minutes
+/**
+ * Client for interacting with Amazon Bedrock AgentCore Identity service.
+ * Provides methods for managing workload identities, credential providers,
+ * and retrieving OAuth2 tokens and API keys.
+ */
+export class IdentityClient {
+    dataPlaneClient;
+    /**
+     * Creates a new IdentityClient instance
+     * @param region - AWS region (defaults to AWS_REGION env var)
+     * @throws Error if region cannot be determined
+     */
+    constructor(region) {
+        const resolvedRegion = region || process.env.AWS_REGION;
+        if (!resolvedRegion) {
+            throw new Error('AWS region must be specified either as a parameter or via AWS_REGION environment variable');
+        }
+        this.dataPlaneClient = new BedrockAgentCoreClient({ region: resolvedRegion });
+    }
+    /**
+     * Retrieves an OAuth2 access token from AgentCore Identity.
+     * Handles both M2M (immediate) and USER_FEDERATION (polling) flows.
+     *
+     * @param request - OAuth2 token request parameters
+     * @returns OAuth2 access token
+     * @throws Error if token retrieval fails or times out
+     */
+    async getOAuth2Token(request) {
+        const command = new GetResourceOauth2TokenCommand({
+            resourceCredentialProviderName: request.providerName,
+            scopes: request.scopes,
+            oauth2Flow: request.authFlow,
+            workloadIdentityToken: request.workloadIdentityToken,
+            resourceOauth2ReturnUrl: request.callbackUrl,
+            forceAuthentication: request.forceAuthentication,
+            sessionUri: request.sessionUri,
+            customState: request.customState,
+            customParameters: request.customParameters,
+        });
+        const response = await this.dataPlaneClient.send(command);
+        // M2M flow - token returned immediately
+        if (response.accessToken) {
+            return response.accessToken;
+        }
+        // USER_FEDERATION flow - authorization URL returned
+        if (response.authorizationUrl) {
+            // Invoke callback if provided
+            if (request.onAuthUrl) {
+                await request.onAuthUrl(response.authorizationUrl);
+            }
+            // Poll for token
+            return this.pollForToken({
+                ...request,
+                sessionUri: response.sessionUri,
+                forceAuthentication: false,
+            });
+        }
+        throw new Error('Identity service did not return a token or authorization URL');
+    }
+    /**
+     * Polls for OAuth2 token until available or timeout
+     */
+    async pollForToken(request) {
+        const startTime = Date.now();
+        while (Date.now() - startTime < POLLING_TIMEOUT_MS) {
+            await new Promise((resolve) => globalThis.setTimeout(resolve, POLLING_INTERVAL_MS));
+            const command = new GetResourceOauth2TokenCommand({
+                resourceCredentialProviderName: request.providerName,
+                scopes: request.scopes,
+                oauth2Flow: request.authFlow,
+                workloadIdentityToken: request.workloadIdentityToken,
+                sessionUri: request.sessionUri,
+                resourceOauth2ReturnUrl: request.callbackUrl,
+                customState: request.customState,
+                customParameters: request.customParameters,
+            });
+            const response = await this.dataPlaneClient.send(command);
+            if (response.accessToken) {
+                return response.accessToken;
+            }
+        }
+        throw new Error(`Polling timed out after ${POLLING_TIMEOUT_MS / 1000} seconds. User may not have completed authorization.`);
+    }
+    /**
+     * Retrieves an API key from AgentCore Identity token vault.
+     *
+     * @param request - API key request parameters
+     * @returns API key string
+     * @throws Error if API key retrieval fails
+     */
+    async getApiKey(request) {
+        const command = new GetResourceApiKeyCommand({
+            resourceCredentialProviderName: request.providerName,
+            workloadIdentityToken: request.workloadIdentityToken,
+        });
+        const response = await this.dataPlaneClient.send(command);
+        if (!response.apiKey) {
+            throw new Error(`No API key returned for provider: ${request.providerName}`);
+        }
+        return response.apiKey;
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/src/identity/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/identity/client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,wBAAwB,GACzB,MAAM,mCAAmC,CAAA;AAG1C,MAAM,mBAAmB,GAAG,IAAI,CAAA,CAAC,YAAY;AAC7C,MAAM,kBAAkB,GAAG,MAAM,CAAA,CAAC,aAAa;AAE/C;;;;GAIG;AACH,MAAM,OAAO,cAAc;IACR,eAAe,CAAwB;IAExD;;;;OAIG;IACH,YAAY,MAAe;QACzB,MAAM,cAAc,GAAG,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;QAEvD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAA;QAC9G,CAAC;QAED,IAAI,CAAC,eAAe,GAAG,IAAI,sBAAsB,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAA;IAC/E,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,cAAc,CAAC,OAA2B;QAC9C,MAAM,OAAO,GAAG,IAAI,6BAA6B,CAAC;YAChD,8BAA8B,EAAE,OAAO,CAAC,YAAY;YACpD,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,UAAU,EAAE,OAAO,CAAC,QAAQ;YAC5B,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;YACpD,uBAAuB,EAAE,OAAO,CAAC,WAAW;YAC5C,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;YAChD,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAEzD,wCAAwC;QACxC,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;YACzB,OAAO,QAAQ,CAAC,WAAW,CAAA;QAC7B,CAAC;QAED,oDAAoD;QACpD,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;YAC9B,8BAA8B;YAC9B,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;gBACtB,MAAM,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAA;YACpD,CAAC;YAED,iBAAiB;YACjB,OAAO,IAAI,CAAC,YAAY,CAAC;gBACvB,GAAG,OAAO;gBACV,UAAU,EAAE,QAAQ,CAAC,UAAU;gBAC/B,mBAAmB,EAAE,KAAK;aAC3B,CAAC,CAAA;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAA;IACjF,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CAAC,OAA2B;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAE5B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,kBAAkB,EAAE,CAAC;YACnD,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAA;YAEnF,MAAM,OAAO,GAAG,IAAI,6BAA6B,CAAC;gBAChD,8BAA8B,EAAE,OAAO,CAAC,YAAY;gBACpD,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,UAAU,EAAE,OAAO,CAAC,QAAQ;gBAC5B,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;gBACpD,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,uBAAuB,EAAE,OAAO,CAAC,WAAW;gBAC5C,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;aAC3C,CAAC,CAAA;YAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YAEzD,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACzB,OAAO,QAAQ,CAAC,WAAW,CAAA;YAC7B,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,2BAA2B,kBAAkB,GAAG,IAAI,sDAAsD,CAC3G,CAAA;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,SAAS,CAAC,OAAsB;QACpC,MAAM,OAAO,GAAG,IAAI,wBAAwB,CAAC;YAC3C,8BAA8B,EAAE,OAAO,CAAC,YAAY;YACpD,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;SACrD,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAEzD,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,qCAAqC,OAAO,CAAC,YAAY,EAAE,CAAC,CAAA;QAC9E,CAAC;QAED,OAAO,QAAQ,CAAC,MAAM,CAAA;IACxB,CAAC;CACF"}

package/dist/src/identity/index.d.ts

@@ -0,0 +1,22 @@
+/**
+ * AgentCore Identity SDK
+ *
+ * Provides identity and credential management for AI agents.
+ * Supports inbound authentication (SigV4, JWT) and outbound authentication (OAuth2, API keys).
+ *
+ * @example HOF wrapper usage
+ * ```typescript
+ * import { withAccessToken } from '@aws/bedrock-agentcore-sdk';
+ *
+ * const myTool = withAccessToken({
+ *   providerName: 'github',
+ *   scopes: ['repo'],
+ *   authFlow: 'M2M',
+ * })(async (input: string, token: string) => {
+ *   // Token automatically injected
+ * });
+ * ```
+ */
+export { withAccessToken, withApiKey } from './wrappers.js';
+export * from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/identity/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/identity/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAG3D,cAAc,YAAY,CAAA"}

package/dist/src/identity/index.js

@@ -0,0 +1,24 @@
+/**
+ * AgentCore Identity SDK
+ *
+ * Provides identity and credential management for AI agents.
+ * Supports inbound authentication (SigV4, JWT) and outbound authentication (OAuth2, API keys).
+ *
+ * @example HOF wrapper usage
+ * ```typescript
+ * import { withAccessToken } from '@aws/bedrock-agentcore-sdk';
+ *
+ * const myTool = withAccessToken({
+ *   providerName: 'github',
+ *   scopes: ['repo'],
+ *   authFlow: 'M2M',
+ * })(async (input: string, token: string) => {
+ *   // Token automatically injected
+ * });
+ * ```
+ */
+// Higher-order functions for wrapping tools
+export { withAccessToken, withApiKey } from './wrappers.js';
+// All type definitions
+export * from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/src/identity/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/identity/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,4CAA4C;AAC5C,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAE3D,uBAAuB;AACvB,cAAc,YAAY,CAAA"}

package/dist/src/identity/types.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Type definitions for AgentCore Identity SDK
+ */
+/**
+ * Request parameters for retrieving an OAuth2 access token
+ */
+export interface OAuth2TokenRequest {
+    /** Name of the credential provider */
+    providerName: string;
+    /** OAuth2 scopes to request */
+    scopes: string[];
+    /** Authentication flow type */
+    authFlow: 'M2M' | 'USER_FEDERATION';
+    /** Workload identity token for authentication */
+    workloadIdentityToken: string;
+    /** OAuth2 callback URL (must be pre-registered) */
+    callbackUrl?: string | undefined;
+    /** Force re-authentication even if token exists in vault */
+    forceAuthentication?: boolean | undefined;
+    /** Session URI for polling subsequent requests */
+    sessionUri?: string | undefined;
+    /** Custom state for callback validation */
+    customState?: string | undefined;
+    /** Custom parameters for authorization request */
+    customParameters?: Record<string, string> | undefined;
+    /** Callback invoked when authorization URL is returned */
+    onAuthUrl?: ((url: string) => void | Promise<void>) | undefined;
+}
+/**
+ * Request parameters for retrieving an API key
+ */
+export interface ApiKeyRequest {
+    /** Name of the credential provider */
+    providerName: string;
+    /** Workload identity token for authentication */
+    workloadIdentityToken: string;
+}
+/**
+ * Configuration for withAccessToken HOF wrapper
+ */
+export interface OAuth2WrapperConfig {
+    /**
+     * Workload identity token for authentication.
+     * Optional - if not provided, automatically falls back to context.workloadAccessToken
+     * when called within a request handler. If neither is available, an error is thrown.
+     */
+    workloadIdentityToken?: string | undefined;
+    /** Name of the credential provider */
+    providerName: string;
+    /** OAuth2 scopes to request */
+    scopes: string[];
+    /** Authentication flow type */
+    authFlow: 'M2M' | 'USER_FEDERATION';
+    /** Callback invoked when authorization URL is returned */
+    onAuthUrl?: ((url: string) => void | Promise<void>) | undefined;
+    /** Force re-authentication even if token exists in vault */
+    forceAuthentication?: boolean | undefined;
+    /**
+     * OAuth2 callback URL (must be pre-registered).
+     * Optional - if not provided, automatically falls back to context.oauth2CallbackUrl
+     * when called within a request handler.
+     */
+    callbackUrl?: string | undefined;
+    /** Custom state for callback validation */
+    customState?: string | undefined;
+    /** Custom parameters for authorization request */
+    customParameters?: Record<string, string> | undefined;
+}
+/**
+ * Configuration for withApiKey HOF wrapper
+ */
+export interface ApiKeyWrapperConfig {
+    /**
+     * Workload identity token for authentication.
+     * Optional - if not provided, automatically falls back to context.workloadAccessToken
+     * when called within a request handler. If neither is available, an error is thrown.
+     */
+    workloadIdentityToken?: string | undefined;
+    /** Name of the credential provider */
+    providerName: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/identity/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/identity/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAA;IACpB,+BAA+B;IAC/B,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB,+BAA+B;IAC/B,QAAQ,EAAE,KAAK,GAAG,iBAAiB,CAAA;IACnC,iDAAiD;IACjD,qBAAqB,EAAE,MAAM,CAAA;IAC7B,mDAAmD;IACnD,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,4DAA4D;IAC5D,mBAAmB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;IACzC,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAC/B,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,kDAAkD;IAClD,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAA;IACrD,0DAA0D;IAC1D,SAAS,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,SAAS,CAAA;CAChE;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAA;IACpB,iDAAiD;IACjD,qBAAqB,EAAE,MAAM,CAAA;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1C,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAA;IACpB,+BAA+B;IAC/B,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB,+BAA+B;IAC/B,QAAQ,EAAE,KAAK,GAAG,iBAAiB,CAAA;IACnC,0DAA0D;IAC1D,SAAS,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,SAAS,CAAA;IAC/D,4DAA4D;IAC5D,mBAAmB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;IACzC;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,kDAAkD;IAClD,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAA;CACtD;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1C,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAA;CACrB"}