AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2026-07-01 · Security-related high

File: bedrock-agentcore/latest/devguide/payments-troubleshooting.md

Summary

Added 'Payment processing errors' section with Coinbase/Privy integration troubleshooting

Security assessment

The change documents credential management errors and resolution steps for payment integrations, including security-critical instructions for updating expired keys and configuring delegated signing permissions.

Diff

diff --git a/bedrock-agentcore/latest/devguide/payments-troubleshooting.md b/bedrock-agentcore/latest/devguide/payments-troubleshooting.md
index ed600c5bb..294a43263 100644
--- a//bedrock-agentcore/latest/devguide/payments-troubleshooting.md
+++ b//bedrock-agentcore/latest/devguide/payments-troubleshooting.md
@@ -7 +7 @@
-Validation errorsPermission errorsResource not found errorsConflict errorsService quota errorsThrottling errorsServer errors
+Validation errorsPermission errorsResource not found errorsConflict errorsService quota errorsThrottling errorsPayment processing errorsServer errors
@@ -65,0 +66,28 @@ The service returns `"Rate exceeded"` when the request rate exceeds the allowed
+## Payment processing errors
+
+If an external payment provider rejects the signing request, the service returns an `AccessDeniedException` or `ValidationException`. The following table lists common errors and their resolutions.
+
+Error message | Resolution  
+---|---  
+`Delegated signing grant is not active for the end user wallet. Please redirect end user to the WalletHub to grant the permissions.` |  You haven’t granted the delegation permission that allows your agent to sign transactions on your behalf, or you previously revoked it. To resolve:
+
+  1. Retrieve the WalletHub URL from the `CreatePaymentInstrument` or `GetPaymentInstrument` response body (`paymentInstrumentDetails.redirectUrl`).
+  2. Redirect the user to the WalletHub.
+  3. Sign in and grant signing permissions to the agent.
+
+For more information about a frontend implementation that handles the delegation grant flow, see the [Coinbase AgentCore template](https://github.com/coinbase/cdp-agentcore-template) on the GitHub website. For more information about funding the wallet, see [Funding the wallet](./payments-how-it-works.html#payments-how-it-works-funding-wallet).  
+`Delegated signing is not enabled for your Coinbase project. Please enable delegated signing in your Coinbase project policies.` |  Your Coinbase Developer Platform project does not have delegated signing configured. To resolve:
+
+  1. Sign in to the [Coinbase Developer Platform](https://docs.cdp.coinbase.com/api-reference/v2/authentication) on the Coinbase website.
+  2. Navigate to your project’s **Policies** settings.
+  3. Enable the **Delegated Signing** toggle.
+
+You must complete this step before your agent can sign transactions on behalf of users.  
+`Privy credentials are invalid. Please verify the credential configuration.` |  Your credential provider has invalid or expired Privy wallet authorization keys. To resolve:
+
+  1. Sign in to the [Privy Dashboard](https://docs.privy.io/authentication/overview#api-authentication) on the Privy website.
+  2. Navigate to your app’s settings and verify the authorization keys are active.
+  3. Update the credential provider in AgentCore Identity with the current keys. To do this, call `UpdatePaymentConnector` or update the secret in AWS Secrets Manager.
+
+For more information about credential configuration, see the [Privy AgentCore SDK](https://github.com/privy-io/aws-agentcore-sdk) on the GitHub website.  
+