Support for AWS SigV4 + Passing OIDC Token to AgentCore Runtime

[MPeli]

❓ Support for AWS SigV4 + Passing OIDC Token to AgentCore Runtime

Hi,

We are using LibreChat with an AWS Bedrock AgentCore runtime as a custom endpoint:

https://bedrock-agentcore.eu-west-1.amazonaws.com/runtimes/<runtime-arn>/invocations?qualifier=DEFAULT

This works today only because our runtime is configured for JWT inbound auth, and LibreChat forwards the OIDC token via:

Authorization: "Bearer {{LIBRECHAT_OPENID_TOKEN}}"

However, our security team is blocking JWT.

We must switch the runtime back to IAM/SigV4, which is the default auth method for AgentCore runtimes.

LibreChat’s custom endpoint client does not perform AWS SigV4 signing (it only sends plain HTTP + static headers).

But in our use case we still need to pass the user’s OIDC token to the AgentCore runtime (for downstream tools), and we need LibreChat to sign the request itself using SigV4.

👉 Question

Is there any supported way for LibreChat to:

1. Sign outgoing requests using AWS SigV4, and
2. Pass the user’s OIDC token in a header at the same time,
3. When calling an AgentCore InvokeAgentRuntime endpoint?

Or should we assume we must build an external proxy that performs SigV4 signing on behalf of LibreChat?

Thanks!