AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-01 · Documentation low

File: bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.md

Summary

Updated references from the Amazon Bedrock AgentCore Starter Toolkit to the AgentCore CLI, and updated the link to sample code repository.

Security assessment

The changes are purely documentation updates regarding development tooling and sample code location. There is no mention of security vulnerabilities, patches, or incidents. The changes update the local development workflow from using a starter toolkit to using the AgentCore CLI, which is a routine documentation update without security implications.

Diff

diff --git a/bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.md b/bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.md
index 3ddb1bd4f..7f070fdd6 100644
--- a//bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.md
+++ b//bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.md
@@ -36 +36 @@ The following steps walk you through setting up the workload identity, the OAuth
-You can refer to sample code from the starter toolkit as an example of a working application: [OAuth 2.0 callback server implementation](https://github.com/aws/bedrock-agentcore-starter-toolkit/blob/main/src/bedrock_agentcore_starter_toolkit/operations/identity/oauth2_callback_server.py#L50-L81).
+You can refer to sample code as an example of a working application: [OAuth 2.0 callback server implementation](https://github.com/awslabs/amazon-bedrock-agentcore-samples/blob/main/01-tutorials/03-AgentCore-identity/05-Outbound_Auth_3lo/oauth2_callback_server.py).
@@ -40 +40 @@ You can refer to sample code from the starter toolkit as an example of a working
-When you are using the [Amazon Bedrock AgentCore Starter Toolkit](https://github.com/aws/bedrock-agentcore-starter-toolkit) in a local environment, to simplify your local development and testing, the toolkit hosts the callback endpoint and calls the `CompleteResourceTokenAuth` API on your behalf to verify the user session to get OAuth 2.0 access tokens so you can skip steps 1, 2 and 4 in the following setup.
+When you are using the AgentCore CLI with `agentcore dev` in a local environment, to simplify your local development and testing, the CLI hosts the callback endpoint and calls the `CompleteResourceTokenAuth` API on your behalf to verify the user session to get OAuth 2.0 access tokens so you can skip steps 1, 2 and 4 in the following setup.
@@ -50 +50 @@ As an example, your application may have its users interact with an agent at a p
-  2. **Update workload identity with application URL** – (Can be skipped if testing locally via toolkit) Once you have created and hosted an application URL for AgentCore Identity to redirect to, update your workload identity so that the application URL is registered as an `AllowedResourceOauth2ReturnUrl`. Make sure that the IAM credentials used have permissions to call `CreateWorkloadIdentity` or `UpdateWorkloadIdentity` depending on whether you're creating a new workload identity or updating an existing one.
+  2. **Update workload identity with application URL** – (Can be skipped if testing locally via AgentCore CLI) Once you have created and hosted an application URL for AgentCore Identity to redirect to, update your workload identity so that the application URL is registered as an `AllowedResourceOauth2ReturnUrl`. Make sure that the IAM credentials used have permissions to call `CreateWorkloadIdentity` or `UpdateWorkloadIdentity` depending on whether you're creating a new workload identity or updating an existing one.