https://kane.mx/tags/sst/Recent content in SST on The roadHugo -- gohugo.ioenTue, 19 May 2026 00:00:00 +0000https://kane.mx/posts/2026/agentcore-gateway-cognito-mcp-oauth/Tue, 19 May 2026 00:00:00 +0000https://kane.mx/posts/2026/agentcore-gateway-cognito-mcp-oauth/ <h2 id="introduction">Introduction</h2> <p><a href="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html">Amazon Bedrock AgentCore Gateway</a> is the most pragmatic way to host a Model Context Protocol server on AWS today. Declare your tools as OpenAPI or as Lambda targets, get a managed multi-target MCP endpoint, and inherit AWS-native authentication via a <code>customJwtAuthorizer</code>. For machine-to-machine traffic that pattern is excellent.</p> <p>The moment you ask an interactive MCP client — <a href="https://docs.claude.com/en/docs/claude-code/overview">Claude Code</a>, Cursor, the <a href="https://github.com/modelcontextprotocol/inspector">MCP Inspector</a> — to talk to that same gateway with a per-user OAuth flow, the seams show. AgentCore Gateway expects a JWT and trusts whatever issuer you wired into its authorizer. Pair it with <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html">Amazon Cognito</a> and the wiring works for the <em>server</em> side. It does not work for the <em>client</em> side, because Cognito is an OIDC identity provider, not an MCP-compliant authorization server. The two are not the same thing.</p> <p><a href="https://kane.mx/posts/2026/agentcore-gateway-cognito-mcp-oauth/">Read More</a></p>