Skip to content

Add 'None' auth option for Gateway targets (OpenAPI) to support pass-through JWT #1734

Description

@jesseturner21

Description

When creating a Gateway target from an OpenAPI spec file, the CLI only offers two outbound auth options: API key and OAuth. There is no None option.

This blocks a valid use case: customers who use an interceptor Lambda to pass through an existing JWT token. Their users are already authenticated, so no gateway-managed credential is needed — downstream services verify the JWT that gets passed through. Today these customers are forced to pick API key or OAuth even though neither will be used.

Request: Add a "None" (no outbound auth) option when creating an OpenAPI Gateway target.

Acceptance Criteria

  • agentcore add gateway-target with an OpenAPI spec offers a "None" auth option alongside API key and OAuth
  • Selecting "None" configures the target with no outbound credential provider
  • The resulting schema / CDK output correctly represents a target with no auth
  • Documentation/help text explains the pass-through JWT use case for "None"

Additional Context

Reported via customer feedback (Aperture form submission).

  • CLI version: 0.21.0
  • OS: linux 6.1.170-210.320.amzn2023.x86_64, node v20.19.3

When we create Gateway target to OpenAPI spec file. We have two auth options API key and OAuth. But there is no None option for cases when we want to use interceptor lambda to pass through existing JWT token, because users are already authenticated. But must choose one of these options and we will not use any of them. Downstream services will verify JWT we pass through.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions