fix(payments): delete dead CRUD functions + inject AUTH_MODE for CUSTOM_JWT

Fix 1 — Delete dead code:
- Remove createPaymentManager, listPaymentManagers, deletePaymentManager,
  createPaymentConnector, deletePaymentConnector, listPaymentConnectors,
  generateClientToken and ~14 associated type interfaces from agentcore-payments.ts
- These had zero call sites (CDK constructs handle all resource creation)
- Removed ~270 lines of dead code

Fix 2 — Inject AGENTCORE_PAYMENT_{NAME}_AUTH_MODE:
- cdk-stack.ts: inject AUTH_MODE='bearer' when authorizerType is CUSTOM_JWT
- deployed-state.ts: add authorizerType to PaymentDeployedStateSchema
- outputs.ts: pass authorizerType through from spec in parsePaymentOutputs
- actions.ts + useDeployFlow.ts: include authorizerType in paymentSpecs
- payment-env.ts: read authorizerType from project spec for dev mode
- payments.py: read from prefixed env var (${_prefix}AUTH_MODE)

Without this fix, CUSTOM_JWT users always get SigV4 auth mode at runtime.

Author: aidandaly24

src/assets/__tests__/__snapshots__/assets.snapshot.test.ts.snap

@@ -380,6 +380,9 @@ export class AgentCoreStack extends Stack {
           if (payment.networkPreferences) {
             env.runtime.addEnvironmentVariable(\`\${prefix}_NETWORK_PREFERENCES\`, payment.networkPreferences.join(','));
           }
+          if (payment.authorizerType === 'CUSTOM_JWT') {
+            env.runtime.addEnvironmentVariable(\`\${prefix}_AUTH_MODE\`, 'bearer');
+          }
         }
 
         // Create connectors for this manager
@@ -5367,9 +5370,9 @@ if _manager_count > 1:
         "Remove extra AGENTCORE_PAYMENT_*_MANAGER_ARN env vars to eliminate ambiguity."
     )
 _region = os.getenv("AWS_REGION")
-_auth_mode = os.getenv("AGENTCORE_PAYMENT_AUTH_MODE", "sigv4")
 
 _prefix = f"AGENTCORE_PAYMENT_{_name_segment}_" if _name_segment else "AGENTCORE_PAYMENT_"
+_auth_mode = os.getenv(f"{_prefix}AUTH_MODE", "sigv4")
 _connector_id = os.getenv(f"{_prefix}CONNECTOR_ID")
 _process_payment_role_arn = os.getenv(f"{_prefix}PROCESS_PAYMENT_ROLE_ARN")
 _auto_payment = os.getenv(f"{_prefix}AUTO_PAYMENT", "true").lower() == "true"

src/assets/cdk/lib/cdk-stack.ts

@@ -105,6 +105,9 @@ export class AgentCoreStack extends Stack {
           if (payment.networkPreferences) {
             env.runtime.addEnvironmentVariable(`${prefix}_NETWORK_PREFERENCES`, payment.networkPreferences.join(','));
           }
+          if (payment.authorizerType === 'CUSTOM_JWT') {
+            env.runtime.addEnvironmentVariable(`${prefix}_AUTH_MODE`, 'bearer');
+          }
         }
 
         // Create connectors for this manager

src/assets/python/http/strands/capabilities/payments/payments.py

@@ -52,9 +52,9 @@
         "Remove extra AGENTCORE_PAYMENT_*_MANAGER_ARN env vars to eliminate ambiguity."
     )
 _region = os.getenv("AWS_REGION")
-_auth_mode = os.getenv("AGENTCORE_PAYMENT_AUTH_MODE", "sigv4")
 
 _prefix = f"AGENTCORE_PAYMENT_{_name_segment}_" if _name_segment else "AGENTCORE_PAYMENT_"
+_auth_mode = os.getenv(f"{_prefix}AUTH_MODE", "sigv4")
 _connector_id = os.getenv(f"{_prefix}CONNECTOR_ID")
 _process_payment_role_arn = os.getenv(f"{_prefix}PROCESS_PAYMENT_ROLE_ARN")
 _auto_payment = os.getenv(f"{_prefix}AUTO_PAYMENT", "true").lower() == "true"

src/cli/aws/agentcore-payments.ts

@@ -10,7 +10,6 @@ import { Sha256 } from '@aws-crypto/sha256-js';
 import { defaultProvider } from '@aws-sdk/credential-provider-node';
 import { HttpRequest } from '@smithy/protocol-http';
 import { SignatureV4 } from '@smithy/signature-v4';
-import { randomUUID } from 'node:crypto';
 
 // ============================================================================
 // Types
@@ -63,31 +62,6 @@ export interface PaymentCredentialProviderDetail {
   status: string;
 }
 
-// ── Create Payment Manager ────────────────────────────────────────────────
-
-export interface CreatePaymentManagerOptions {
-  region: string;
-  name: string;
-  description?: string;
-  authorizerType?: 'AWS_IAM' | 'CUSTOM_JWT';
-  authorizerConfiguration?: {
-    customJWTAuthorizer?: {
-      discoveryUrl: string;
-      allowedClients?: string[];
-      allowedAudience?: string[];
-      allowedScopes?: string[];
-    };
-  };
-  roleArn: string;
-  clientToken: string;
-}
-
-export interface CreatePaymentManagerResult {
-  paymentManagerId: string;
-  paymentManagerArn: string;
-  status: string;
-}
-
 // ── Get Payment Manager ───────────────────────────────────────────────────
 
 export interface GetPaymentManagerOptions {
@@ -104,79 +78,6 @@ export interface PaymentManagerDetail {
   roleArn?: string;
 }
 
-// ── List Payment Managers ──────────────────────────────────────────────────
-
-export interface ListPaymentManagersOptions {
-  region: string;
-  maxResults?: number;
-  nextToken?: string;
-}
-
-export interface PaymentManagerSummary {
-  paymentManagerId: string;
-  paymentManagerArn: string;
-  name: string;
-  status: string;
-}
-
-export interface ListPaymentManagersResult {
-  paymentManagers: PaymentManagerSummary[];
-  nextToken?: string;
-}
-
-// ── Delete Payment Manager ────────────────────────────────────────────────
-
-export interface DeletePaymentManagerOptions {
-  region: string;
-  paymentManagerId: string;
-  clientToken?: string;
-}
-
-// ── Create Payment Connector ───────────────────────────────────────────────
-
-export interface CreatePaymentConnectorOptions {
-  region: string;
-  paymentManagerId: string;
-  name: string;
-  description?: string;
-  credentialProviderArn: string;
-  clientToken: string;
-  vendor?: 'CoinbaseCDP' | 'StripePrivy';
-}
-
-export interface CreatePaymentConnectorResult {
-  paymentConnectorId: string;
-  status: string;
-}
-
-// ── Delete Payment Connector ───────────────────────────────────────────────
-
-export interface DeletePaymentConnectorOptions {
-  region: string;
-  paymentManagerId: string;
-  paymentConnectorId: string;
-}
-
-// ── List Payment Connectors ────────────────────────────────────────────────
-
-export interface ListPaymentConnectorsOptions {
-  region: string;
-  paymentManagerId: string;
-  maxResults?: number;
-  nextToken?: string;
-}
-
-export interface PaymentConnectorSummary {
-  paymentConnectorId: string;
-  name: string;
-  status: string;
-}
-
-export interface ListPaymentConnectorsResult {
-  paymentConnectors: PaymentConnectorSummary[];
-  nextToken?: string;
-}
-
 // ============================================================================
 // HTTP signing helper
 // ============================================================================
@@ -269,13 +170,6 @@ async function signedRequest(options: {
   return response.json();
 }
 
-/**
- * Generate a client token that meets the >= 33 char minimum for idempotency.
- */
-export function generateClientToken(): string {
-  return `${randomUUID()}-${randomUUID()}`;
-}
-
 // ============================================================================
 // Payment Credential Provider Operations
 // ============================================================================
@@ -405,31 +299,6 @@ export async function deletePaymentCredentialProvider(options: { region: string;
 // Payment Manager Operations
 // ============================================================================
 
-export async function createPaymentManager(options: CreatePaymentManagerOptions): Promise<CreatePaymentManagerResult> {
-  const clientToken = options.clientToken || generateClientToken();
-  const body = JSON.stringify({
-    name: options.name,
-    ...(options.description && { description: options.description }),
-    authorizerType: options.authorizerType ?? 'AWS_IAM',
-    ...(options.authorizerConfiguration && { authorizerConfiguration: options.authorizerConfiguration }),
-    roleArn: options.roleArn,
-    clientToken,
-  });
-
-  try {
-    return (await signedRequest({
-      region: options.region,
-      method: 'POST',
-      path: '/payments/managers',
-      body,
-    })) as CreatePaymentManagerResult;
-  } catch (err) {
-    throw new Error(
-      `Failed to create payment manager "${options.name}": ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-}
-
 export async function getPaymentManager(options: GetPaymentManagerOptions): Promise<PaymentManagerDetail | null> {
   try {
     return (await signedRequest({
@@ -444,114 +313,6 @@ export async function getPaymentManager(options: GetPaymentManagerOptions): Prom
   }
 }
 
-export async function listPaymentManagers(options: ListPaymentManagersOptions): Promise<ListPaymentManagersResult> {
-  const body: Record<string, unknown> = {};
-  if (options.maxResults) body.maxResults = options.maxResults;
-  if (options.nextToken) body.nextToken = options.nextToken;
-
-  const data = await signedRequest({
-    region: options.region,
-    method: 'POST',
-    path: '/payments/managers-list',
-    body: JSON.stringify(body),
-  });
-
-  const result = data as ListPaymentManagersResult;
-  return {
-    paymentManagers: result.paymentManagers ?? [],
-    nextToken: result.nextToken,
-  };
-}
-
-export async function deletePaymentManager(options: DeletePaymentManagerOptions): Promise<void> {
-  const clientToken = options.clientToken ?? generateClientToken();
-
-  try {
-    await signedRequest({
-      region: options.region,
-      method: 'DELETE',
-      path: `/payments/managers/${encodeURIComponent(options.paymentManagerId)}?clientToken=${encodeURIComponent(clientToken)}`,
-    });
-  } catch (err) {
-    throw new Error(
-      `Failed to delete payment manager "${options.paymentManagerId}": ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-}
-
-// ============================================================================
-// Payment Connector Operations
-// ============================================================================
-
-export async function createPaymentConnector(
-  options: CreatePaymentConnectorOptions
-): Promise<CreatePaymentConnectorResult> {
-  const clientToken = options.clientToken || generateClientToken();
-  const vendor = options.vendor ?? 'CoinbaseCDP';
-  const credConfigKey = vendor === 'StripePrivy' ? 'stripePrivy' : 'coinbaseCDP';
-  const body = JSON.stringify({
-    name: options.name,
-    ...(options.description && { description: options.description }),
-    type: vendor,
-    credentialProviderConfigurations: [
-      {
-        [credConfigKey]: {
-          credentialProviderArn: options.credentialProviderArn,
-        },
-      },
-    ],
-    clientToken,
-  });
-
-  try {
-    return (await signedRequest({
-      region: options.region,
-      method: 'POST',
-      path: `/payments/managers/${encodeURIComponent(options.paymentManagerId)}/connectors`,
-      body,
-    })) as CreatePaymentConnectorResult;
-  } catch (err) {
-    throw new Error(
-      `Failed to create payment connector "${options.name}" for manager ${options.paymentManagerId}: ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-}
-
-export async function deletePaymentConnector(options: DeletePaymentConnectorOptions): Promise<void> {
-  try {
-    await signedRequest({
-      region: options.region,
-      method: 'DELETE',
-      path: `/payments/managers/${encodeURIComponent(options.paymentManagerId)}/connectors/${encodeURIComponent(options.paymentConnectorId)}`,
-    });
-  } catch (err) {
-    throw new Error(
-      `Failed to delete payment connector "${options.paymentConnectorId}": ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-}
-
-export async function listPaymentConnectors(
-  options: ListPaymentConnectorsOptions
-): Promise<ListPaymentConnectorsResult> {
-  const body: Record<string, unknown> = {};
-  if (options.maxResults) body.maxResults = options.maxResults;
-  if (options.nextToken) body.nextToken = options.nextToken;
-
-  const data = await signedRequest({
-    region: options.region,
-    method: 'POST',
-    path: `/payments/managers/${encodeURIComponent(options.paymentManagerId)}/connectors-list`,
-    body: JSON.stringify(body),
-  });
-
-  const result = data as ListPaymentConnectorsResult;
-  return {
-    paymentConnectors: result.paymentConnectors ?? [],
-    nextToken: result.nextToken,
-  };
-}
-
 // ============================================================================
 // Data Plane Operations (Payment Sessions)
 // ============================================================================

src/cli/cloudformation/outputs.ts

@@ -384,6 +384,7 @@ export function parsePaymentOutputs(
   outputs: StackOutputs,
   paymentSpecs: {
     name: string;
+    authorizerType?: 'AWS_IAM' | 'CUSTOM_JWT';
     autoPayment?: boolean;
     paymentToolAllowlist?: string[];
     networkPreferences?: string[];
@@ -421,6 +422,7 @@ export function parsePaymentOutputs(
       connectors,
       processPaymentRoleArn,
       resourceRetrievalRoleArn,
+      ...(spec.authorizerType && { authorizerType: spec.authorizerType }),
       ...(spec.autoPayment !== undefined && { autoPayment: spec.autoPayment }),
       ...(spec.paymentToolAllowlist && { paymentToolAllowlist: spec.paymentToolAllowlist }),
       ...(spec.networkPreferences && { networkPreferences: spec.networkPreferences }),

src/cli/commands/deploy/actions.ts

@@ -520,6 +520,7 @@ export async function handleDeploy(options: ValidatedDeployOptions): Promise<Dep
     // Parse payment outputs from CFN stack
     const paymentSpecs = (context.projectSpec.payments ?? []).map(p => ({
       name: p.name,
+      authorizerType: p.authorizerType,
       autoPayment: p.autoPayment,
       paymentToolAllowlist: p.paymentToolAllowlist,
       networkPreferences: p.networkPreferences,

src/cli/operations/dev/payment-env.ts

@@ -6,6 +6,7 @@ export async function getPaymentEnvVars(): Promise<Record<string, string>> {
 
   try {
     const deployedState = await configIO.readDeployedState();
+    const projectSpec = await configIO.readProjectSpec().catch(() => null);
 
     // Iterate all targets (not just 'default')
     for (const target of Object.values(deployedState?.targets ?? {})) {
@@ -50,6 +51,14 @@ export async function getPaymentEnvVars(): Promise<Record<string, string>> {
         if (payment.networkPreferences && payment.networkPreferences.length > 0) {
           envVars[`AGENTCORE_PAYMENT_${sanitized}_NETWORK_PREFERENCES`] = payment.networkPreferences.join(',');
         }
+
+        // Auth mode from project spec (mirrors CDK injection)
+        const paymentSpec = projectSpec?.payments?.find((p: { name: string }) => p.name === name) as
+          | { authorizerType?: string }
+          | undefined;
+        if (paymentSpec?.authorizerType === 'CUSTOM_JWT') {
+          envVars[`AGENTCORE_PAYMENT_${sanitized}_AUTH_MODE`] = 'bearer';
+        }
       }
     }
   } catch {

src/cli/tui/screens/deploy/useDeployFlow.ts

@@ -321,12 +321,14 @@ export function useDeployFlow(options: DeployFlowOptions = {}): DeployFlowState
     const paymentSpecs = (ctx.projectSpec.payments ?? []).map(
       (p: {
         name: string;
+        authorizerType?: 'AWS_IAM' | 'CUSTOM_JWT';
         autoPayment?: boolean;
         paymentToolAllowlist?: string[];
         networkPreferences?: string[];
         connectors: { name: string; credentialName: string }[];
       }) => ({
         name: p.name,
+        authorizerType: p.authorizerType,
         autoPayment: p.autoPayment,
         paymentToolAllowlist: p.paymentToolAllowlist,
         networkPreferences: p.networkPreferences,

src/schema/schemas/deployed-state.ts

@@ -248,6 +248,7 @@ export const PaymentDeployedStateSchema = z.object({
   connectors: z.record(z.string(), PaymentConnectorDeployedStateSchema).default({}),
   processPaymentRoleArn: z.string().min(1),
   resourceRetrievalRoleArn: z.string().min(1),
+  authorizerType: z.enum(['AWS_IAM', 'CUSTOM_JWT']).optional(),
   autoPayment: z.boolean().optional(),
   paymentToolAllowlist: z.array(z.string()).optional(),
   networkPreferences: z.array(z.string()).optional(),