Create a Payment Manager Lifecycle states Get a Payment Manager List Payment Managers Delete a Payment Manager Next steps

Create a Payment Manager and Connector

A Payment Manager is the top-level resource that coordinates payment operations for your AWS account. When you create a Payment Manager, you specify an authorizer type and an IAM role, and the service provisions a corresponding workload identity in AgentCore Identity.

This guide walks you through creating a Payment Manager and attaching a Payment Connector using the AWS Management Console or the AWS SDK. For the complete request and response schemas, see CreatePaymentManager and CreatePaymentConnector in the API Reference.

Before you begin, ensure you have:

Completed the Prerequisites (account, credentials, provider keys).
Set up the required IAM roles (administrator role and service role).

Create a Payment Manager

Example

Console

Step 1: Open the Payments page

Open the Amazon Bedrock AgentCore console.
In the navigation pane, under Build, choose Payments.
In the Payment Managers section, choose Create Payment Manager.

Step 2: Configure Payment Manager details

For Name, enter a name for your Payment Manager. The name must start with a letter. Valid characters are a–z, A–Z, 0–9. The name can have up to 48 characters.
(Optional) Choose Description to expand the section, and then enter a description to help identify this Payment Manager.

Step 3: Configure permissions

The Permissions section specifies the permissions for this Payment Manager and the AWS resources that the payment can access.

For IAM Permissions, choose one of the following options:

Create and use a new service role — Amazon Bedrock AgentCore payments creates a new service role on your behalf. A default service role name is generated automatically. For more information, see Service role permissions.
Use an existing service role — Use a service role that you have already created. If you choose this option, select a role from the dropdown list.

Step 4: Configure inbound authorization

Inbound authorization controls who can access this Payment Manager. In the Inbound Auth section, for Inbound Auth type, choose one of the following options:

To use IAM authorization:

Choose Use IAM username. This uses the IAM username that you used to sign in to the AWS console.

To use JWT authorization with Amazon Cognito:

Choose Use JSON Web Tokens (JWT).
For JWT schema configuration, choose Quick create configurations with Cognito - recommended. Amazon Bedrock AgentCore payments creates the inbound authorization configurations on your behalf using Amazon Cognito as the identity provider. No additional configuration is required.

To use JWT authorization with an existing identity provider:

Choose Use JSON Web Tokens (JWT).
For JWT schema configuration, choose Use existing Identity provider configurations. This option lets you bring existing inbound authorization configurations from any identity provider to enable OAuth 2.0.
For Discovery URL, enter the discovery URL from your identity provider (for example, Okta or Cognito), typically found in that provider’s documentation. This allows your agent or tool to fetch login, downstream resource token, and verification settings. For example, https://accounts.cognito.com/.well-known/openid-configuration.
For Allowed audiences, enter client IDs that are registered with identity providers or any arbitrary string in the JWT audience claim that the authorizer must verify. Choose + Add audience to add additional audiences.
For Allowed clients, enter client IDs that are registered with identity providers or any arbitrary string in the JWT audience claim that the authorizer must verify. Choose + Add client to add additional clients.
For Allowed scopes, enter the required scopes. Access is allowed only if the token contains at least one of the required scopes configured here. Choose + Add scope to add additional scopes.
(Optional) For Custom claims, define rules that match specific claims in the incoming token against predefined values. For each rule, specify the claim Name, String type, Operator, and Value. Choose + Add claim to add additional claims.

Step 5: Add a payment connector (optional)

Payment connectors store the credentials and configuration needed to connect with payment service providers. Adding a connector during creation is optional, but a connector is required for the service to process payments.

In the Payment connector: New Connector section, for Name, enter a name for the connector. Valid characters are a–z, A–Z, 0–9, and _ (underscore). The name can have up to 48 characters.
(Optional) Choose Description to expand the section, and then enter a description for the connector.
In the Add Outbound Auth section, if you want to reuse a payment credential provider previously created in AgentCore Identity, select an existing outbound auth from the dropdown; or choose create a new one to create a new payment credential provider. If you choose to create a new one, see Create a new outbound auth.
(Optional) To add additional connectors, choose + Add connector and repeat the steps above.

Create a new outbound auth

When you choose create a new one in the connector’s outbound auth section, a panel opens where you can configure a new payment credential provider.

For Name, enter a name for the outbound auth. Valid characters are a–z, A–Z, 0–9, _ (underscore), and - (hyphen).
For Provider, select a payment provider from the dropdown. The available providers are Coinbase and Stripe (Privy).

If you choose Coinbase, complete the following fields under Payment provider configurations:

For API key ID, enter the unique identifier for your Coinbase CDP account credentials.
For API key secret, enter the private key used to authenticate and sign requests to Coinbase CDP.
For Wallet secret, enter the asymmetric private key used to authenticate sensitive wallet write operations.

If you choose Stripe (Privy), complete the following fields under Payment provider configurations:

For App ID, enter the unique identifier for your Privy account credentials.
For App secret, enter the private key used to authenticate and sign requests to the Privy application.
For Authorization ID, enter the unique identifier for the authorization entity.
For Authorization private key, enter the private key used to sign authorization requests.

After completing the provider configuration, choose Add Outbound Auth.

Step 6: Create the Payment Manager

Review your configuration, and then choose Create Payment Manager.

After you choose Create Payment Manager, the console navigates to the Payment Manager details page. A success banner confirms that the Payment Manager was created and provides the following next steps:

Set up payment instrument and session, optionally specify the budget.
Integrate the Payment Manager into your agent framework.
Discover paid MCP tools and endpoints.
Enable log deliveries and traces to view metrics in the observability dashboard.

The Payment Manager details page includes sections for Payment connectors, Integration code templates, Inbound Auth, Observability metrics, and Log deliveries and tracing configuration.

AWS CLI

Create a Payment Manager with IAM authorization:


aws bedrock-agentcore-control create-payment-manager \
  --name "MyPaymentManager" \
  --authorizer-type AWS_IAM \
  --role-arn "arn:aws:iam::123456789012:role/AgentCorePaymentsResourceRetrievalRole" \
  --region us-east-1

Create a Payment Manager with JWT authorization:


aws bedrock-agentcore-control create-payment-manager \
  --name "MyPaymentManager" \
  --authorizer-type CUSTOM_JWT \
  --role-arn "arn:aws:iam::123456789012:role/AgentCorePaymentsResourceRetrievalRole" \
  --custom-jwt-authorizer-configuration '{
    "discoveryUrl": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_EXAMPLE/.well-known/openid-configuration",
    "allowedAudience": ["your-client-id"],
    "allowedClients": ["your-client-id"]
  }' \
  --region us-east-1

The Payment Manager status starts as CREATING and transitions to READY when provisioning completes.

After the Payment Manager is ready, create a payment credential provider:

The following example creates a payment credential provider for Coinbase CDP:


aws bedrock-agentcore-control create-payment-credential-provider \
  --name "coinbase-provider" \
  --credential-provider-vendor CoinbaseCDP \
  --provider-configuration-input '{
    "coinbaseCdpConfiguration": {
      "apiKeyId": "your-coinbase-api-key-id",
      "apiKeySecret": "your-coinbase-api-key-secret",
      "walletSecret": "your-coinbase-wallet-secret"
    }
  }' \
  --region us-east-1

The following example creates a payment credential provider for Stripe Privy:


aws bedrock-agentcore-control create-payment-credential-provider \
  --name "stripe-privy-provider" \
  --credential-provider-vendor StripePrivy \
  --provider-configuration-input '{
    "stripePrivyConfiguration": {
      "appId": "your-stripe-privy-app-id",
      "appSecret": "your-stripe-privy-app-secret",
      "authorizationPrivateKey": "your-stripe-privy-authorization-private-key",
      "authorizationId": "your-stripe-privy-authorization-id"
    }
  }' \
  --region us-east-1

After the credential provider is ready, create a connector:


aws bedrock-agentcore-control create-payment-connector \
  --payment-manager-id <paymentManagerId> \
  --name "CoinbaseConnector" \
  --type CoinbaseCDP \
  --credential-provider-configurations '[{
    "coinbaseCDP": {
      "credentialProviderArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/default/paymentcredentialprovider/my-cdp-provider"
    }
  }]' \
  --region us-east-1

AWS SDK

Create a Payment Manager with IAM authorization:


import boto3

client = boto3.client("bedrock-agentcore-control", region_name="us-east-1")

# Create PaymentManager with IAM authorization
payment_manager = client.create_payment_manager(
    name="MyPaymentManager",
    authorizerType="AWS_IAM",
    roleArn="arn:aws:iam::123456789012:role/AgentCorePaymentsResourceRetrievalRole"
)

print(f"Payment Manager ID: {payment_manager['paymentManagerId']}")

Create a Payment Manager with JWT authorization:


payment_manager = client.create_payment_manager(
    name="MyPaymentManager",
    authorizerType="CUSTOM_JWT",
    roleArn="arn:aws:iam::123456789012:role/AgentCorePaymentsResourceRetrievalRole",
    customJWTAuthorizerConfiguration={
        "discoveryUrl": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_EXAMPLE/.well-known/openid-configuration",
        "allowedAudience": ["your-client-id"],
        "allowedClients": ["your-client-id"],
        "allowedScopes": ["payments:write"],
        "customClaims": [
            {
                "claimName": "tenant_id",
                "claimValue": "your-unique-tenant-id",
                "operation": "EQUALS"
            }
        ]
    }
)

After the Payment Manager reaches READY status, create a payment credential provider:

The following example configures a provider for Coinbase CDP:


import boto3

client = boto3.client("bedrock-agentcore-control", region_name="us-east-1")

coinbase_provider = client.create_payment_credential_provider(
    name="coinbase-provider",
    credentialProviderVendor="CoinbaseCDP",
    providerConfigurationInput={
        "coinbaseCdpConfiguration": {
            "apiKeyId": "your-coinbase-api-key-id",
            "apiKeySecret": "your-coinbase-api-key-secret",
            "walletSecret": "your-coinbase-wallet-secret"
        }
    }
)

The following example configures a provider for Stripe Privy:


import boto3

client = boto3.client("bedrock-agentcore-control", region_name="us-east-1")

stripe_privy_provider = client.create_payment_credential_provider(
    name="stripe-privy-provider",
    credentialProviderVendor="StripePrivy",
    providerConfigurationInput={
        "stripePrivyConfiguration": {
            "appId": "your-stripe-privy-app-id",
            "appSecret": "your-stripe-privy-app-secret",
            "authorizationPrivateKey": "your-stripe-privy-authorization-private-key",
            "authorizationId": "your-stripe-privy-authorization-id"
        }
    }
)

After creating payment credential provider, create a connector:


# Create PaymentConnector for Coinbase CDP
payment_connector = client.create_payment_connector(
    paymentManagerId=payment_manager["paymentManagerId"],
    name="CoinbaseConnector",
    type="CoinbaseCDP",
    credentialProviderConfigurations=[
        {
            "coinbaseCDP": {
                "credentialProviderArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/default/paymentcredentialprovider/my-cdp-provider"
            }
        }
    ]
)

print(f"Connector ID: {payment_connector['paymentConnectorId']}")

For Stripe (Privy), use the stripePrivy configuration variant:


# Create PaymentConnector for Stripe (Privy)
payment_connector = client.create_payment_connector(
    paymentManagerId=payment_manager["paymentManagerId"],
    name="StripePrivyConnector",
    type="StripePrivy",
    credentialProviderConfigurations=[
        {
            "stripePrivy": {
                "credentialProviderArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/default/paymentcredentialprovider/my-privy-provider"
            }
        }
    ]
)

AgentCore SDK

The AgentCore SDK provides a convenience method create_payment_manager_with_connector that creates the Payment Manager, credential provider, and connector in a single call.

Coinbase CDP with IAM authorization:


from bedrock_agentcore.payments import PaymentClient

payment_client = PaymentClient(region_name="us-east-1")

response = payment_client.create_payment_manager_with_connector(
    payment_manager_name="MyPaymentManager",
    payment_manager_description="Payment manager for my agent.",
    authorizer_type="AWS_IAM",
    role_arn="arn:aws:iam::123456789012:role/MyPaymentRole",
    payment_connector_config={
        "name": "CoinbaseConnector",
        "description": "Coinbase CDP connector",
        "payment_credential_provider_config": {
            "name": "MyCoinbaseProvider",
            "credential_provider_vendor": "CoinbaseCDP",
            "credentials": {
                "api_key_id": "your-api-key-id",
                "api_key_secret": "your-api-key-secret",
                "wallet_secret": "your-wallet-secret",
            },
        },
    },
    wait_for_ready=True,
    max_wait=300,
    poll_interval=5,
)

payment_manager = response.get("paymentManager", {})
payment_connector = response.get("paymentConnector", {})
credential_provider = response.get("credentialProvider", {})

payment_manager_arn = payment_manager.get("paymentManagerArn")
payment_connector_id = payment_connector.get("paymentConnectorId")

print(f"Payment Manager ARN: {payment_manager_arn}")
print(f"Connector ID: {payment_connector_id}")

Coinbase CDP with JWT authorization:


from bedrock_agentcore.payments.client import PaymentClient

payment_client = PaymentClient(region_name="us-east-1")

response = payment_client.create_payment_manager_with_connector(
    payment_manager_name="CoinbasePaymentManagerJWT",
    payment_manager_description="Coinbase Payment Manager (JWT auth)",
    authorizer_type="CUSTOM_JWT",
    role_arn="arn:aws:iam::123456789012:role/BedrockAgentCoreFullAccess",
    payment_connector_config={
        "name": "coinbase-connector-jwt",
        "description": "Coinbase Connector (JWT)",
        "payment_credential_provider_config": {
            "name": "my-coinbase-provider-jwt",
            "credential_provider_vendor": "CoinbaseCDP",
            "credentials": {
                "api_key_id": "your-api-key-id",
                "api_key_secret": "your-api-key-secret",
                "wallet_secret": "your-wallet-secret",
            },
        },
    },
    wait_for_ready=True,
)

manager_arn = response["paymentManager"]["paymentManagerArn"]
connector_id = response["paymentConnector"]["paymentConnectorId"]
provider_arn = response["credentialProvider"]["credentialProviderArn"]

Stripe (Privy) with IAM authorization:


from bedrock_agentcore.payments.client import PaymentClient

payment_client = PaymentClient(region_name="us-east-1")

response = payment_client.create_payment_manager_with_connector(
    payment_manager_name="StripePaymentManager",
    payment_manager_description="Stripe + Privy Payment Manager (IAM auth)",
    authorizer_type="AWS_IAM",
    role_arn="arn:aws:iam::123456789012:role/BedrockAgentCoreFullAccess",
    payment_connector_config={
        "name": "stripe-privy-connector",
        "description": "Stripe + Privy Connector",
        "payment_credential_provider_config": {
            "name": "my-stripe-privy-provider",
            "credential_provider_vendor": "StripePrivy",
            "credentials": {
                "app_id": "your-privy-app-id",
                "app_secret": "your-privy-app-secret",
                "authorization_private_key": "your-authorization-private-key",
                "authorization_id": "your-authorization-id",
            },
        },
    },
    wait_for_ready=True,
)

manager_arn = response["paymentManager"]["paymentManagerArn"]
connector_id = response["paymentConnector"]["paymentConnectorId"]
provider_arn = response["credentialProvider"]["credentialProviderArn"]

Stripe (Privy) with JWT authorization:


from bedrock_agentcore.payments.client import PaymentClient

payment_client = PaymentClient(region_name="us-east-1")

response = payment_client.create_payment_manager_with_connector(
    payment_manager_name="StripePaymentManagerJWT",
    payment_manager_description="Stripe + Privy Payment Manager (JWT auth)",
    authorizer_type="CUSTOM_JWT",
    role_arn="arn:aws:iam::123456789012:role/BedrockAgentCoreFullAccess",
    payment_connector_config={
        "name": "stripe-privy-connector-jwt",
        "description": "Stripe + Privy Connector (JWT)",
        "payment_credential_provider_config": {
            "name": "my-stripe-privy-provider-jwt",
            "credential_provider_vendor": "StripePrivy",
            "credentials": {
                "app_id": "your-privy-app-id",
                "app_secret": "your-privy-app-secret",
                "authorization_private_key": "your-authorization-private-key",
                "authorization_id": "your-authorization-id",
            },
        },
    },
    wait_for_ready=True,
)

manager_arn = response["paymentManager"]["paymentManagerArn"]
connector_id = response["paymentConnector"]["paymentConnectorId"]
provider_arn = response["credentialProvider"]["credentialProviderArn"]

Lifecycle states

After creation, the Payment Manager transitions through the following states:

State	Description
`CREATING`	Initial state during provisioning.
`READY`	Payment Manager is operational and accepting connector configurations.
`UPDATING`	A configuration change is being applied.
`CREATE_FAILED`	Provisioning failure.
`UPDATE_FAILED`	Update operation failure.

Get a Payment Manager

Example

List Payment Managers

Example

Delete a Payment Manager

Example

Next steps

After creating your Payment Manager, you can:

Set up payment instruments and sessions — Configure payment instruments and sessions to start processing transactions. See Create a payment instrument.
Integrate with your agent framework — Use the integration code templates to connect the Payment Manager to your agentic workflow. See Processing payments.
Discover paid MCP tools and endpoints — Connect to ready-to-use MCP servers with pay-per-use endpoints or bring your own merchant endpoints. See Coinbase Bazaar via AgentCore Gateway.
Enable observability — Configure log deliveries and tracing to monitor sessions, API invocations, transactions, and error rates. See Observability.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM roles

Processing payments