AWS Partner Network (APN) Blog

Securing enterprise ready AI agents with Auth0 for AI Agents and Amazon Bedrock AgentCore

by: Jose Alvarez, Partner Solutions Architect – AWS
by: John Walsh, Partner Solutions Architect – AWS
by: Anthony Smith, Sr. Partner Solutions Architect – AWS
by: Wayne Smiley, Principal Solutions Engineer – Auth0
by: Kapil Patil, Sr. Partner Solutions Architect – Auth0

Partner Logo
Auth0
Auth0 Connect Button

AI agents do more than answer questions. They read emails, book meetings, pull customer records, and take actions across systems on behalf of your users. By extending identity controls to these agents, you give each one a proper identity, scope its permissions to exactly what it needs, and gain a clear audit trail behind every action.

Auth0 for AI Agents provides the complete identity lifecycle for agents built on Amazon Bedrock AgentCore. Together, they let the agents you build, deploy, and operate share the same identity foundation as your workforce and customer applications.

In this post, we walk through how Auth0 and AgentCore come together across the areas that matter most: authenticating users to agents, securing agent-to-agent communication, governing tool access, enforcing fine-grained authorization, and preserving human-in-the-loop approvals.

Securing AI in a world without a blueprint

AI agents are a new category of software. Unlike traditional applications that follow predefined workflows, AI agents can reason about a problem, decide which tools to use, and take actions across multiple systems on their own. Consider an agent handling an IT support request. It might look up a user’s account information in one system, reset a password in another, and search internal documentation in a third. Each step involves different data, different permissions, and different levels of risk.

Gartner predicts that 40% of enterprise applications will integrate task-specific AI agents by the end of 2026, up from less than 5% in 2025. The AWS Security Reference Architecture provides prescriptive guidance on securing agentic workloads, but when teams move fast, common shortcuts create real exposure:

  • Shared API keys give agents broad access without awareness of which user they’re acting for.
  • Hard-coded credentials sit in configuration files, where they’re difficult to rotate and hard to scope to a specific user or action.
  • Passing tokens through a large language model (LLM) and its reasoning layer can disclose credentials in ways that are difficult to monitor with traditional application security tooling.

These shortcuts compound when the access control model itself wasn’t built for agentic workloads. Role-based access control (RBAC), for example, assigns permissions based on a user’s role at login time. AI agents discover information dynamically during a conversation and might need different permissions for each action they take. In this case, you need authorization that evaluates permissions on an ongoing basis, at the level of individual actions, and adapts in real time as roles and relationships change.

For sensitive operations, there is also the question of when a human should still make the final call. Compliance requirements in regulated industries such as healthcare, finance, and government increasingly require that high-risk actions, like resetting a password or modifying financial records, receive explicit human approval before an agent can proceed.

These challenges point to a common need: identity and access management must sit at the center of your AI agent security strategy.

How Auth0 and Amazon Bedrock AgentCore work together

Auth0 for AI Agents and Amazon Bedrock AgentCore address different but complementary parts of this challenge. Understanding what each service is responsible for is key to seeing how they work together.

Auth0 for AI Agents gives you the enforcing function for user identity in agent workflows. It uses upstream identity providers, such as Okta or social connections, to create and maintain the user’s identity so agents operate on behalf of the authenticated and authorized user. Auth0 provides the identity context and fine-grained access control based on the user’s profile and permissions.

Amazon Bedrock AgentCore provides the runtime infrastructure for building, deploying, and operating AI agents at scale. It validates inbound requests to agents and routes outbound tool invocations through Amazon Bedrock AgentCore Gateway, acting as the execution boundary for agent interactions and applying access control across services from Amazon Web Services (AWS) and external systems.

Consistent with the AWS Shared Responsibility Model, AWS and Auth0 provide the services and controls; you’re responsible for configuring identity policies, authorization rules, and approval workflows appropriate for your workloads.

The next sections describe how Auth0 and AgentCore come together across the key areas of agent security.

Restricting access to authenticated users

Before an AI agent can respond to a request, it needs to verify who’s asking. AgentCore uses Auth0 as the identity provider through standard OpenID Connect (OIDC) discovery, so only users with the appropriate credentials and access rights can invoke an agent. Your users authenticate through the same Auth0 login experience they use across your other applications, including enterprise connections to identity providers such as Okta. That means your AI-powered workflows inherit the same multi-factor authentication (MFA) policies and session management as your traditional applications. The following screenshot shows the Auth0 dashboard with the available enterprise identity provider connections.

Figure 1: Auth0 dashboard

Figure 1: Auth0 dashboard

Delegating user identity for API calls

When an agent needs to call an external API on behalf of a user, for example to retrieve calendar events from Google or look up account information in a customer relationship management (CRM) system, it needs to act with that user’s permissions without exposing their credentials. Auth0 delegates user identity to the agent, and Auth0 Token Vault stores the access tokens from upstream identity provider connections. Agents retrieve these tokens just in time through a token exchange mechanism, scoped to the specific agent and user combination. The tokens don’t pass through the agent’s reasoning layer. This workflow is shown in the following diagram.

Figure 2: Auth0 Token Vault delegating user identity so the password reset agent can call an external API with a just-in-time federated token

Figure 2: Auth0 Token Vault delegating user identity so the password reset agent can call an external API with a just-in-time federated token

Securing agent-to-agent communication

In multi-agent architectures, a supervisor agent delegates tasks to specialized subagents, and each interaction between agents needs to be authenticated. Auth0 machine-to-machine (M2M) tokens authenticate these interactions following the agent-to-agent (A2A) protocol, an open specification for how autonomous agents authenticate and exchange requests. With A2A in place, agents don’t operate on implicit trust.

Figure 3: A2A authentication flow showing how Auth0 M2M JWT tokens authenticate agent-to-agent communication between the supervisor agent and subagents.

Figure 3: A2A authentication flow showing how Auth0 M2M JWT tokens authenticate agent-to-agent communication between the supervisor agent and subagents.

Governing tool access through the gateway

When an AgentCore Runtime agent needs to reach external APIs or Model Context Protocol (MCP) servers, AgentCore Gateway manages and controls those outbound connections. The user’s Auth0-issued access token is included in requests to the gateway, which validates the token’s signature, expiration, audience, and custom claims before routing the invocation to downstream tools. Only requests backed by a valid, Auth0-issued identity reach downstream resources. For direct MCP integrations that bypass the gateway, authentication is handled by the MCP server’s own configuration and credential management

Figure 4: AgentCore Gateway governing tool access, with Auth0 M2M JWT validation before invoking the Lambda documentation search tool

Figure 4: AgentCore Gateway governing tool access, with Auth0 M2M JWT validation before invoking the Lambda documentation search tool

Enforcing fine-grained authorization

Auth0 Fine-Grained Authorization (FGA) provides a framework for defining and enforcing granular permissions based on user attributes and relationships. FGA evaluates permissions at the time of each agent action and can adapt in real time as roles and relationships change, giving organizations ongoing control over what each agent can do on behalf of a given user.

Keeping humans in the loop for sensitive operations

For high-risk actions, Auth0 Client Initiated Backchannel Authentication (CIBA) lets the agent pause its workflow and send a push notification to the user’s device requesting explicit approval. AgentCore can use Auth0 CIBA actions to establish this out-of-band approval channel. The agent only proceeds after the user confirms, preserving human judgment for these operations.

Managing credentials

Both Auth0 and Amazon Bedrock AgentCore provide token vault capabilities with distinct, complementary responsibilities, and in most production deployments, you’ll use both:

  • Auth0 Token Vault stores tokens for upstream identity provider connections. Use it when your agent needs to act on behalf of a user against third-party APIs (such as Google, Salesforce, or Microsoft 365) without requiring repeated OAuth flows.
  • Amazon Bedrock AgentCore Identity token vault can initiate and run the full OAuth 2.0 approval flow needed to reach downstream resources, and it stores the resulting tokens for later noninteractive use by agents. Use it when AgentCore itself is brokering access to resources the agent depends on at runtime.

In both cases, credentials are scoped, short-lived, and aren’t exposed to the agent’s reasoning layer.

The following diagram shows the solution architecture.

Figure 7: Reference architecture showing how Auth0 for AI Agents provides OIDC login, fine-grained permissions, and async authorization for agents running on Amazon Bedrock AgentCore Runtime

Figure 5: Reference architecture showing how Auth0 for AI Agents provides OIDC login, fine-grained permissions, and async authorization for agents running on Amazon Bedrock AgentCore Runtime

Why it matters for AWS customers

If you’re already using Auth0, Amazon Bedrock AgentCore support for external identity providers gives you a straightforward path to securing AI agents with the same identity service you use to protect your existing applications. Instead of building separate identity infrastructure for AI agents, you can connect your Auth0 tenant to AgentCore and apply familiar authentication flows, user directories, and security policies to your AI-powered workflows.

This collaboration between AWS and Auth0 is designed to reduce identity overhead for your agent developers and replace fragmented security with a consistent, maintainable model. Your product teams can focus on building agent capabilities, while identity and access management is handled by services purpose-built for it.

Auth0 is offered through AWS Marketplace, making it straightforward for customers to procure and deploy on AWS.

Getting started

You can start bringing Auth0 for AI Agents and Amazon Bedrock AgentCore together in your AWS account today. Wherever you are in your agent journey, there’s a path forward.

To talk through an implementation for your workloads, contact your AWS account team or reach out through the AWS partner contact form.

Auth0 – AWS Partner Spotlight

Auth0 is an AWS Security Competency Partner that takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need.

Contact Auth0 | Partner Overview | AWS Marketplace