Streamline AI agent device interactions: Join API Gateway to AgentCore Gateway with MCP

AgentCore Gateway now helps API Gateway. As organizations discover the chances of agentic purposes, they proceed to navigate challenges of utilizing enterprise knowledge as context in invocation requests to giant language fashions (LLMs) in a fashion that’s safe and aligned with enterprise insurance policies. To assist standardize and safe these interactions, many organizations are utilizing the Model Context Protocol (MCP) specification, which defines how agentic purposes can securely connect with knowledge sources and instruments.

Whereas MCP has been advantageous for internet new use instances, organizations additionally navigate challenges with bringing their current API property into the agentic period. MCP can definitely wrap current APIs, but it surely requires extra work, translating requests from MCP to RESTful APIs, ensuring safety is maintained by all the request move, and making use of the usual observability required for manufacturing deployments.

Amazon Bedrock AgentCore Gateway now helps Amazon API Gateway as a goal, translating MCP requests to AgentCore Gateway into RESTful requests to API Gateway. Now you can expose each new and current API endpoints to agentic purposes utilizing MCP, with built-in safety and observability. This publish covers these new capabilities and reveals easy methods to implement them.

What’s new: API Gateway assist in AgentCore Gateway

AgentCore Gateway now helps API Gateway targets along with existing target types (Lambda features, OpenAPI schemas, Smithy fashions, and MCP servers).

Our prospects have efficiently constructed intensive API ecosystems utilizing API Gateway, connecting backends throughout quite a few purposes. As enterprises advance towards next-generation agentic purposes, the pure evolution is to reveal these current APIs and backend instruments to AI-powered methods, enabling seamless integration between established infrastructure and trendy clever brokers.

This integration between AgentCore Gateway and API Gateway simplifies the connection between API Gateway and AgentCore Gateway. It permits you to immediately goal API Gateway, so that you just don’t have to export API Gateway APIs as an OpenAPI 3 specification after which add it to AgentCore Gateway as an OpenAPI goal.

With this integration, a brand new API_GATEWAY goal sort can be added to AgentCore Gateway, eliminating the handbook export/import course of. REST API house owners can add their API as an AgentCore Gateway goal with just a few console interactions or a single CLI command to reveal their current REST API as MCP instruments utilizing AgentCore Gateway. API shoppers can then join AI brokers with these REST APIs by the Mannequin Context Protocol (MCP) and energy their workflows with AI integration. Your agentic purposes can now connect with your new or current API Gateway API. This integration between AgentCore Gateway and API Gateway helps IAM and API key authorization.

Each AgentCore Gateway and API Gateway have integrations with Amazon CloudWatch Logs, AWS CloudTrail, and AWS X-Ray for observability. Agent builders utilizing this new functionality between AgentCore Gateway and API Gateway can use these observability instruments.

Walkthrough

This publish reveals you easy methods to arrange an current REST API with API Gateway as a goal for AgentCore Gateway. With this integration you need to use your current REST APIs as a device in your agentic purposes uncovered utilizing AgentCore Gateway.

Conditions

For this instance, you want the next:

• An AWS account with an current REST API in API Gateway.
• An Identity and Access Management (IAM) position or person with sufficient permissions to create an AgentCore Gateway and arrange an API Gateway goal.

You possibly can create gateways and add targets in a number of methods:

This publish makes use of Boto3 for organising the combination between AgentCore Gateway and API Gateway. For an interactive walkthrough, you need to use the Jupyter Pocket book pattern on GitHub.

Arrange stipulations for inbound and outbound authorization.

Inbound authorization authenticates incoming person requests. Outbound authorization helps AgentCore Gateway to securely connect with gateway targets, comparable to an API Gateway, on behalf of the authenticated person.

For API Gateway as a goal, AgentCore Gateway helps the next forms of outbound authorization:

• No authorization (not really helpful) – Some goal varieties present you the choice to bypass outbound authorization. We don’t advocate this much less safe choice.
• IAM-based outbound authorization – Use the gateway service role to authorize entry to the gateway goal with AWS Signature Version 4 (Sig V4).
• API key – Use the API key, which is about up utilizing AgentCore Id to authorize entry to API Gateway goal. API keys created utilizing an API Gateway mapped with API Gateway utilization plans, helps you monitor and management API utilization. Please seek advice from this documentation for extra particulars.

Create an IAM role with the belief coverage from the documentation.

• For Outbound Authorization with IAM-based authorization, the coverage ought to embody execute-api:Invoke permission. Pattern inline coverage:

{
    "Model": "2012-10-17",
    "Assertion": [
        {
            "Action": [
                "execute-api:Invoke", 
            ],
            "Useful resource": " "arn:aws:execute-api:{AWS_Region}:{AWS_Account_ID}:api-id/stage/METHOD_HTTP_VERB/resource-path",
            "Impact": "Permit"
        }
    ]
}

As soon as completed, replace the coverage as described within the AgentCore Gateway documentation.

Create an AgentCore Gateway

When utilizing the AgentCore starter toolkit, you possibly can create a gateway with a default authorization configuration utilizing Amazon Cognito for JWT-based inbound authorization.

import boto3
gateway_client = boto3.consumer('bedrock-agentcore-control')
auth_config = {
    "customJWTAuthorizer": { 
        "allowedClients": ['<cognito_client_id>'],  # Consumer MUST match with the ClientId configured in Cognito. Instance: 7rfbikfsm51j2fpaggacgng84g
        "discoveryUrl": <cognito_oauth_discovery_url>
    }
}
create_response = gateway_client.create_gateway(
title="sample-ac-gateway",
    	roleArn='<IAM_Role_ARN>', # The IAM Function will need to have permissions to create/record/get/delete Gateway
    protocolType="MCP",
    protocolConfiguration={
        'mcp': {
            'supportedVersions': ['2025-03-26'],
            'searchType': 'SEMANTIC'
        }
    },
    authorizerType="CUSTOM_JWT",
    authorizerConfiguration=auth_config,
    description='AgentCore Gateway with API Gateway goal'
)
print(create_response)
# Retrieve the GatewayID used for GatewayTarget creation
gatewayID = create_response["gatewayId"]
gatewayURL = create_response["gatewayUrl"]
print(gatewayID)

This returns GATEWAY_ID that you will want to create the gateway goal.

Create an AgentCore Gateway goal

Create a goal configuration

To create an API gateway goal, you have to specify the next because the a part of goal configuration:

• toolFilters: Use this to find out what assets on the REST API can be uncovered as device on the gateway. Filters additionally assist wildcards within the filterPath.
• toolOverrides (non-compulsory): Use this to permit customers to override device names and outline. It’s essential to specify specific paths and strategies.
• restApiId: Use this to go API Gateway ID.

Under are just a few examples of goal configurations:

Instance 1

This exposes GET & POST /pets, GET /pets/{petId} to the gateway and overrides their device names and descriptions.

{
  "mcp": {
    "apiGateway": {
      "restApiId": "<api-id>",
      "stage": "<stage>",
      "apiGatewayToolConfiguration": {
        "toolFilters": [
          {
            "filterPath": "/pets",
            "methods": ["GET","POST"]
          },
          {
            "filterPath": "/pets/{petId}",
            "strategies": ["GET"]
          }
        ],
	  "toolOverrides" : [
          {
             "name": "ListPets",
             "path": "/pets",
             "method": "GET",
             "description":"Retrieves all the available Pets."
         },
         {
              "name": "AddPet",
              "path": "/pets",
              "method": "POST",
               "description":"Add a new pet to the available Pets."
          },
          {
             "path": "/pets/{petId}",
             "method": "GET",
             "name": "GetPetById",
             "description": "Retrieve a specific pet by its ID"
         }
         ]	
      }
    }
  }
}

Instance 2

It will expose GET /pets but in addition GET /pets/{petId} or something underneath /pets. Since toolOverrides isn’t specified, it would use the useful resource description from API Gateway.

{
  "mcp": {
    "apiGateway": {
      "restApiId": "<api-id>",
      "stage": "<stage>",
      "apiGatewayToolConfiguration": {
        "toolFilters": [
          {
            "filterPath": "/pets/*",
            "methods": ["GET"]
          }
        ]
      }
    }
  }
}

Credential supplier configuration

When making a goal, you additionally have to specify the goal’s outbound authorization utilizing a credential supplier configuration. As mentioned above, there are three forms of credential suppliers:

GATEWAY_IAM_ROLE

This makes use of the ROLE_ARN you specified when creating the gateway. Outline the credential supplier configuration as follows:

[
    {
        "credentialProviderType": "GATEWAY_IAM_ROLE"
    }
]

API_KEY

This requires the creation of an API key credential provider with AgentCore Id.

[
    {
        "credentialProviderType": "API_KEY",
        "credentialProvider": {
            "apiKeyCredentialProvider": {
                "providerArn": "<provider-arn>",
                "credentialParameterName": "x-api-key", // optional
                "credentialPrefix": "abc",              // optional, prefix is added to the API key when sending it to the target endpoint
                "credentialLocation": "HEADER"          //optional, specifies where in the request the API key should be placed
            }
        }
    }
]

NO_AUTH

NO_AUTH may be configured by not specifying a credential supplier configuration whereas creating the AgentCore Gateway goal. This isn’t really helpful.

Create an AgentCore Gateway goal

Now configure your REST API as a gateway goal:

import boto3
gateway_client = boto3.consumer('bedrock-agentcore-control')
create_gateway_target_response = gateway_client.create_gateway_target(
    title="api-gateway-target",
    gatewayIdentifier="<gateway_ID>",
    targetConfiguration=[< your_target_configuration>],
    credentialProviderConfigurations=[<your_credential_config>]
)
print(create_gateway_target_response)
gateway_target_id=create_gateway_target_2_response['targetId']

Take a look at gateway with the Strands Agent framework

Take a look at the gateway with the Strands Agents framework to record and name the obtainable instruments from MCP server. You may as well use different MCP-compatible brokers constructed with completely different agentic frameworks.

def create_streamable_http_transport():
    return streamablehttp_client(
        gatewayURL, headers={"Authorization": f"Bearer {<Bearer_Token>}"}
    )
consumer = MCPClient(create_streamable_http_transport)
with consumer:
    # Name the listTools
    instruments = consumer.list_tools_sync()
    # Create an Agent with the mannequin and instruments
    agent = Agent(mannequin=yourModel, instruments=instruments)  ## you possibly can change with any mannequin you want
    # Invoke the agent with the pattern immediate. It will solely invoke MCP listTools and retrieve the record of instruments the LLM has entry to. The under doesn't truly name any device.
    agent("Hello, are you able to record all instruments obtainable to you")
    # Device calling
    agent("Checklist all of the obtainable pets")
    agent("Inform me concerning the pet with petId 3 ")
    agent("When my order can be delivered? My order id is 2")

You’ll observe the next output:

I've entry to the next instruments:
1. **x_amz_bedrock_agentcore_search** - A search device that returns a trimmed down record of instruments primarily based on a offered context/question
2. **api-gateway-target-1___Add_Pet** - Add a brand new pet to the obtainable Pets
3. **api-gateway-target-1___GetPetById** - Retrieve a particular pet by its ID (requires petId parameter)
4. **api-gateway-target-1___List_Pets** - Retrieves all of the obtainable Pets (non-compulsory parameters: web page, sort)
5. **api-gateway-target-2___GetOrderById** - Retrieve a particular order by its ID (requires orderId parameter)
I will retrieve all of the obtainable pets for you.
Device #1: api-gateway-target-1___List_Pets
"HTTP/1.1 200 OK"
Listed below are all of the obtainable pets:
1. **Pet ID 1** - Canine - $249.99
2. **Pet ID 2** - Cat - $124.99  
3. **Pet ID 3** - Fish - $0.99
I will retrieve the small print for pet ID 3.
Device #2: api-gateway-target-1___GetPetById
"HTTP/1.1 200 OK"
Listed below are the small print for pet ID 3:
- **Pet ID**: 3
- **Kind**: Fish
- **Worth**: $0.99
I will examine the small print of your order with ID 2 to see the supply info.
Device #3: api-gateway-target-2___GetOrderById
"HTTP/1.1 200 OK"
Primarily based in your order particulars:
- **Order ID**: 2
- **Pet Class**: Cat
- **Worth**: $124.99
- **Supply Date**: 02-12-2025 (December 2nd, 2025)
Your cat order can be delivered on **December 2nd, 2025**.

Observability

Enable application logs and tracing in your AgentCore Gateway useful resource. You will notice detailed logs to assist monitor and troubleshoot your AgentCore Gateway useful resource. It can embody the device calls carried out by your agentic software, request parameters, responses, and errors if any.

Instance logs:

{
    "resource_arn": "arn:aws:bedrock-agentcore:us-west-2:<AWS_Account_Id>:gateway/sample-ac-gateway2-mgtqozexct",
    "event_timestamp": 1763621922275,
    "physique": {
        "isError": false,
        "log": "Executing device api-gateway-target-1___GetPetById from goal W8BCF5VEAZ",
        "id": "3"
    },
    "account_id": "<AWS_Account_Id>",
    "request_id": "8a70f423-79ee-4168-9d68-b76ad3*****",
    "trace_id": "324a2ecc08631a55a02bb8f74104****",
    "span_id": "f58914982450ad9b",
    "timestamp": "1763621922275",
    "gateway_id": "sample-ac-gateway2-mgtqozexct"
} 
{
    "resource_arn": "arn:aws:bedrock-agentcore:us-west-2: <AWS_Account_Id>:gateway/sample-ac-gateway2-mgtqozexct",
    "event_timestamp": 1763621922348,
    "physique": {
        "isError": false,
        "responseBody": "{jsonrpc=2.0, id=3, end result={isError=false, content material=[{type=text, text={"id":3,"type":"fish","price":0.99}}]}}",
        "log": "Efficiently processed request",
        "id": "3"
    },
    "account_id": "<AWS_Account_Id>",
    "request_id": "8a70f423-79ee-4168-9d68-b76ad3ef****",
    "trace_id": "324a2ecc08631a55a02bb8f7410****",
    "span_id": "f58914982450ad9b",
    "timestamp": "1763621922348",
    "gateway_id": "sample-ac-gateway2-mgtqozexct"
}

Together with this, AgentCore Gateway provides detailed CloudWatch metrics together with the utilization metrics (TargetType, IngressAuthType, EgressAuthType, RequestsPerSession), invocation metrics (Invocations, ConcurrentExecutions, Periods), efficiency metrics (Latency, Length, TargetExecutionTime), and error charges (Throttles, SystemErrors, UserErrors).

AgentCore Gateway additionally helps AWS X-Ray and OTEL conformant vended spans that prospects can use to trace invocations throughout completely different primitives which might be getting used.

To be taught extra, see the AgentCore Gateway Observability documentation.

Clear up

To keep away from recurring expenses, be sure that to delete the assets created by operating the next code.

import boto3
gateway_client = boto3.consumer('bedrock-agentcore-control')
# Deleting the Gateway 
Targetresponse = gateway_client.delete_gateway_target( gatewayIdentifier="<Gateway_Id>", targetId='<Target_Id>')print(response)
# Deleting the Gateway 
response = gateway_client.delete_gateway(
gatewayIdentifier="<Gateway_Id>")
print(response)

Conclusion

AgentCore Gateway now helps Amazon API Gateway as a goal, exposing REST APIs as MCP-compatible endpoints. You possibly can convey your current API infrastructure to agentic use instances whereas utilizing your present safety and observability instruments.

Go to our developer documentation and workshop to be taught extra and get began at this time.

In regards to the authors

With over 6+ years at AWS, Sparsh Wadhwa brings deep experience in serverless, event-driven architectures, and Generative AI to his work with ISV prospects in India. As a Options Architect, he companions with Impartial Software program Distributors to reimagine their merchandise for the cloud period—from modernizing legacy methods to embedding AI capabilities that differentiate their choices. Sparsh believes one of the best options emerge from understanding each technical potentialities and enterprise context.

Heeki Park is a Principal Options Architect at AWS. In his 9+ years at AWS, he helped enterprise prospects take into consideration easy methods to construct and function cloud-native purposes, undertake serverless and event-driven patterns, and construct pragmatic generative AI purposes. Heeki is an avid runner and enjoys analyzing exercise knowledge to measure enchancment in cardiovascular health.

Dhawal Patel is a Principal Generative AI Tech lead at AWS. He has labored with organizations starting from giant enterprises to mid-sized startups on issues associated to agentic AI, deep studying, and distributed computing.