Skip to content

fix: fail fast when CUSTOM_JWT agent has no bearer token available#817

Merged
aidandaly24 merged 1 commit intomainfrom
fix/custom-jwt-silent-fallback
Apr 13, 2026
Merged

fix: fail fast when CUSTOM_JWT agent has no bearer token available#817
aidandaly24 merged 1 commit intomainfrom
fix/custom-jwt-silent-fallback

Conversation

@aidandaly24
Copy link
Copy Markdown
Contributor

@aidandaly24 aidandaly24 commented Apr 10, 2026

Description

When an agent is configured for CUSTOM_JWT but no OAuth client credentials are stored (i.e., --client-id and --client-secret were not provided during agentcore add agent), agentcore invoke silently falls back to SigV4 authentication. The runtime rejects SigV4 with a cryptic "Authorization method mismatch" error, giving the user no indication of what went wrong.

This PR adds:

  • CLI non-interactive path (src/cli/commands/invoke/action.ts): Returns a clear error when CUSTOM_JWT is configured but no token is available, guiding the user to either provide --bearer-token or re-add the agent with --client-id and --client-secret.
  • TUI interactive path (src/cli/tui/screens/invoke/useInvokeFlow.ts): Shows a warning message when auto-fetch isn't possible, guiding the user to press T to enter a token manually.

Related Issue

Closes #814

Documentation PR

N/A

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Other (please describe):

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

All pre-existing test failures are unchanged (19 failing test files on main, 19 with this change — identical set).

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@aidandaly24
fix: fail fast when CUSTOM_JWT agent has no bearer token available
0a7d9a6 
When an agent is configured for CUSTOM_JWT but no OAuth credentials are
stored and no --bearer-token is provided, the CLI silently fell back to
SigV4 auth which always fails with a cryptic "Authorization method
mismatch" error. Now the CLI returns a clear error message in the
non-interactive path, and the TUI shows a warning guiding the user to
press T to enter a token manually.

Closes #814
@aidandaly24 aidandaly24 requested a review from a team April 10, 2026 22:11
@github-actions github-actions bot added the size/xs PR size: XS label Apr 10, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026

Package Tarball

aws-agentcore-0.8.0.tgz

How to install

npm install https://github.com/aws/agentcore-cli/releases/download/pr-817-tarball/aws-agentcore-0.8.0.tgz

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 44.48% 7044 / 15835
🔵 Statements 43.95% 7473 / 17002
🔵 Functions 41.88% 1260 / 3008
🔵 Branches 43.44% 4727 / 10880
Generated in workflow #1724 for commit 0a7d9a6 by the Vitest Coverage Report Action

notgitika
notgitika approved these changes Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@notgitika notgitika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aidandaly24 aidandaly24 merged commit 96de3d2 into main Apr 13, 2026
23 checks passed
@aidandaly24 aidandaly24 deleted the fix/custom-jwt-silent-fallback branch April 13, 2026 14:22
aidandaly24 added a commit that referenced this pull request Apr 13, 2026
@aidandaly24
fix: update E2E test regex to match new CUSTOM_JWT client-side error
7642e0d 
PR #817 changed invoke to fail fast client-side when a CUSTOM_JWT agent
is invoked without a bearer token, producing a different error message.
The E2E assertions still expected the old server-side "authorization
mismatch" pattern, causing two test failures on main.
@aidandaly24 aidandaly24 mentioned this pull request Apr 13, 2026
Merged
15 tasks
aidandaly24 added a commit that referenced this pull request Apr 13, 2026
@aidandaly24
fix: update E2E test regex to match new CUSTOM_JWT client-side error (#…
4f178a5 
…832)

PR #817 changed invoke to fail fast client-side when a CUSTOM_JWT agent
is invoked without a bearer token, producing a different error message.
The E2E assertions still expected the old server-side "authorization
mismatch" pattern, causing two test failures on main.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vivdalal vivdalal vivdalal approved these changes

@notgitika notgitika notgitika approved these changes

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

agentcore invoke silently falls back to SigV4 when CUSTOM_JWT agent has no bearer token

3 participants

@aidandaly24 @vivdalal @notgitika