aws · tejaskash · Mar 9, 2026 · Mar 8, 2026 · Mar 9, 2026
diff --git a/src/cli/commands/add/__tests__/validate.test.ts b/src/cli/commands/add/__tests__/validate.test.ts
@@ -614,17 +614,43 @@ describe('validate', () => {
       expect(result.error).toContain('not applicable');
     });
 
-    it('rejects --outbound-auth for api-gateway type', async () => {
+    it('rejects --outbound-auth oauth for api-gateway type', async () => {
       const result = await validateAddGatewayTargetOptions({
         name: 'my-api',
         type: 'api-gateway',
         restApiId: 'abc123',
         stage: 'prod',
         gateway: 'my-gateway',
-        outboundAuthType: 'NONE',
+        outboundAuthType: 'OAUTH',
       });
       expect(result.valid).toBe(false);
-      expect(result.error).toContain('not applicable');
+      expect(result.error).toContain('OAuth is not supported');
+    });
+
+    it('accepts --outbound-auth api-key with --credential-name for api-gateway type', async () => {
+      const result = await validateAddGatewayTargetOptions({
+        name: 'my-api',
+        type: 'api-gateway',
+        restApiId: 'abc123',
+        stage: 'prod',
+        gateway: 'my-gateway',
+        outboundAuthType: 'API_KEY',
+        credentialName: 'my-key',
+      });
+      expect(result.valid).toBe(true);
+    });
+
+    it('rejects --outbound-auth api-key without --credential-name for api-gateway type', async () => {
+      const result = await validateAddGatewayTargetOptions({
+        name: 'my-api',
+        type: 'api-gateway',
+        restApiId: 'abc123',
+        stage: 'prod',
+        gateway: 'my-gateway',
+        outboundAuthType: 'API_KEY',
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('--credential-name is required');
     });
 
     it('rejects --host with mcp-server type', async () => {

diff --git a/src/cli/commands/add/validate.ts b/src/cli/commands/add/validate.ts
@@ -281,10 +281,13 @@ export async function validateAddGatewayTargetOptions(options: AddGatewayTargetO
       return { valid: false, error: '--language is not applicable for api-gateway type' };
     }
     if (options.outboundAuthType) {
-      return { valid: false, error: '--outbound-auth is not applicable for api-gateway type' };
-    }
-    if (options.credentialName) {
-      return { valid: false, error: '--credential-name is not applicable for api-gateway type' };
+      const authLower = options.outboundAuthType.toLowerCase();
+      if (authLower === 'oauth') {
+        return { valid: false, error: 'OAuth is not supported for api-gateway type' };
+      }
+      if ((authLower === 'api-key' || authLower === 'api_key') && !options.credentialName) {
+        return { valid: false, error: '--credential-name is required with --outbound-auth api-key' };
+      }
     }
     if (options.oauthClientId || options.oauthClientSecret || options.oauthDiscoveryUrl || options.oauthScopes) {
       return { valid: false, error: 'OAuth options are not applicable for api-gateway type' };

diff --git a/src/cli/primitives/GatewayTargetPrimitive.ts b/src/cli/primitives/GatewayTargetPrimitive.ts
@@ -275,6 +275,7 @@ export class GatewayTargetPrimitive extends BasePrimitive<AddGatewayTargetOption
           const outboundAuthMap: Record<string, 'OAUTH' | 'API_KEY' | 'NONE'> = {
             oauth: 'OAUTH',
             'api-key': 'API_KEY',
+            api_key: 'API_KEY',
             none: 'NONE',
           };
 
@@ -296,6 +297,16 @@ export class GatewayTargetPrimitive extends BasePrimitive<AddGatewayTargetOption
                     },
                   ]
                 : undefined,
+              ...(cliOptions.outboundAuthType
+                ? {
+                    outboundAuth: {
+                      type: (outboundAuthMap[cliOptions.outboundAuthType.toLowerCase()] ?? 'NONE') as
+                        | 'API_KEY'
+                        | 'NONE',
+                      credentialName: cliOptions.credentialName,
+                    },
+                  }
+                : {}),
             };
             const result = await this.createApiGatewayTarget(config);
             const output = { success: true, toolName: result.toolName };
@@ -507,6 +518,7 @@ export class GatewayTargetPrimitive extends BasePrimitive<AddGatewayTargetOption
           toolFilters: config.toolFilters ?? [{ filterPath: '/*', methods: ['GET'] }],
         },
       },
+      ...(config.outboundAuth && { outboundAuth: config.outboundAuth }),
     };
 
     gateway.targets.push(target);

diff --git a/src/cli/tui/hooks/useCdkPreflight.ts b/src/cli/tui/hooks/useCdkPreflight.ts
@@ -68,8 +68,8 @@ export interface PreflightResult {
   missingCredentials: MissingCredential[];
   /** KMS key ARN used for identity token vault encryption */
   identityKmsKeyArn?: string;
-  /** OAuth credential ARNs from pre-deploy setup */
-  oauthCredentials: Record<string, { credentialProviderArn: string; clientSecretArn?: string; callbackUrl?: string }>;
+  /** Credential ARNs (API key + OAuth) from pre-deploy setup */
+  allCredentials: Record<string, { credentialProviderArn: string; clientSecretArn?: string; callbackUrl?: string }>;
   startPreflight: () => Promise<void>;
   confirmTeardown: () => void;
   cancelTeardown: () => void;
@@ -128,7 +128,7 @@ export function useCdkPreflight(options: PreflightOptions): PreflightResult {
   const [runtimeCredentials, setRuntimeCredentials] = useState<SecureCredentials | null>(null);
   const [skipIdentitySetup, setSkipIdentitySetup] = useState(false);
   const [identityKmsKeyArn, setIdentityKmsKeyArn] = useState<string | undefined>(undefined);
-  const [oauthCredentials, setOauthCredentials] = useState<
+  const [allCredentials, setAllCredentials] = useState<
     Record<string, { credentialProviderArn: string; clientSecretArn?: string; callbackUrl?: string }>
   >({});
   const [teardownConfirmed, setTeardownConfirmed] = useState(false);
@@ -723,7 +723,6 @@ export function useCdkPreflight(options: PreflightOptions): PreflightResult {
               };
             }
           }
-          setOauthCredentials(creds);
           Object.assign(deployedCredentials, creds);
 
           logger.endStep('success');
@@ -732,6 +731,7 @@ export function useCdkPreflight(options: PreflightOptions): PreflightResult {
 
         // Write partial deployed state with credential ARNs before CDK synth
         if (Object.keys(deployedCredentials).length > 0) {
+          setAllCredentials(deployedCredentials);
           const configIO = new ConfigIO();
           const target = context.awsTargets[0];
           const existingState = await configIO.readDeployedState().catch(() => ({ targets: {} }) as DeployedState);
@@ -890,7 +890,7 @@ export function useCdkPreflight(options: PreflightOptions): PreflightResult {
     hasCredentialsError,
     missingCredentials,
     identityKmsKeyArn,
-    oauthCredentials,
+    allCredentials,
     startPreflight,
     confirmTeardown,
     cancelTeardown,

diff --git a/src/cli/tui/screens/deploy/useDeployFlow.ts b/src/cli/tui/screens/deploy/useDeployFlow.ts
@@ -42,7 +42,7 @@ export interface PreSynthesized {
   stackNames: string[];
   switchableIoHost?: SwitchableIoHost;
   identityKmsKeyArn?: string;
-  oauthCredentials?: Record<string, { credentialProviderArn: string; clientSecretArn?: string; callbackUrl?: string }>;
+  allCredentials?: Record<string, { credentialProviderArn: string; clientSecretArn?: string; callbackUrl?: string }>;
 }
 
 interface DeployFlowOptions {
@@ -114,7 +114,7 @@ export function useDeployFlow(options: DeployFlowOptions = {}): DeployFlowState
   const stackNames = preSynthesized?.stackNames ?? preflight.stackNames;
   const switchableIoHost = preSynthesized?.switchableIoHost ?? preflight.switchableIoHost;
   const identityKmsKeyArn = preSynthesized?.identityKmsKeyArn ?? preflight.identityKmsKeyArn;
-  const oauthCredentials = preSynthesized?.oauthCredentials ?? preflight.oauthCredentials;
+  const allCredentials = preSynthesized?.allCredentials ?? preflight.allCredentials;
 
   const [publishAssetsStep, setPublishAssetsStep] = useState<Step>({ label: 'Publish assets', status: 'pending' });
   const [deployStep, setDeployStep] = useState<Step>({ label: 'Deploy to AWS', status: 'pending' });
@@ -269,7 +269,7 @@ export function useDeployFlow(options: DeployFlowOptions = {}): DeployFlowState
       existingState,
       identityKmsKeyArn,
       memories,
-      credentials: Object.keys(oauthCredentials).length > 0 ? oauthCredentials : undefined,
+      credentials: Object.keys(allCredentials).length > 0 ? allCredentials : undefined,
     });
     await configIO.writeDeployedState(deployedState);
 
@@ -282,7 +282,7 @@ export function useDeployFlow(options: DeployFlowOptions = {}): DeployFlowState
     if (allStatuses.length > 0) {
       setTargetStatuses(allStatuses);
     }
-  }, [context, stackNames, logger, identityKmsKeyArn, oauthCredentials]);
+  }, [context, stackNames, logger, identityKmsKeyArn, allCredentials]);
 
   // Start deploy when preflight completes OR when shouldStartDeploy is set
   useEffect(() => {

diff --git a/src/cli/tui/screens/mcp/AddGatewayTargetFlow.tsx b/src/cli/tui/screens/mcp/AddGatewayTargetFlow.tsx
@@ -6,11 +6,11 @@ import { AddIdentityScreen } from '../identity/AddIdentityScreen';
 import type { AddIdentityConfig } from '../identity/types';
 import { useCreateIdentity, useExistingCredentials, useExistingIdentityNames } from '../identity/useCreateIdentity';
 import { AddGatewayTargetScreen } from './AddGatewayTargetScreen';
-import type { AddGatewayTargetConfig, GatewayTargetWizardState } from './types';
+import type { AddGatewayTargetConfig, AddGatewayTargetStep, GatewayTargetWizardState } from './types';
 import React, { useCallback, useEffect, useMemo, useState } from 'react';
 
 type FlowState =
-  | { name: 'create-wizard' }
+  | { name: 'create-wizard'; resumeConfig?: GatewayTargetWizardState; resumeStep?: AddGatewayTargetStep }
   | { name: 'creating-credential'; pendingConfig: GatewayTargetWizardState }
   | { name: 'create-success'; toolName: string; projectPath: string; loading?: boolean; loadingMessage?: string }
   | { name: 'error'; message: string };
@@ -45,6 +45,11 @@ export function AddGatewayTargetFlow({
     [credentials]
   );
 
+  const apiKeyCredentialNames = useMemo(
+    () => credentials.filter(c => c.type === 'ApiKeyCredentialProvider').map(c => c.name),
+    [credentials]
+  );
+
   // In non-interactive mode, exit after success (but not while loading)
   useEffect(() => {
     if (!isInteractive && flow.name === 'create-success' && !flow.loading) {
@@ -110,22 +115,22 @@ export function AddGatewayTargetFlow({
       void createIdentity(createConfig).then(result => {
         if (result.ok && flow.name === 'creating-credential') {
           const pending = flow.pendingConfig;
-          // Credential creation is only reachable from the mcpServer outbound-auth step
-          handleCreateComplete({
-            targetType: 'mcpServer',
-            name: pending.name,
-            description: pending.description ?? `Tool for ${pending.name}`,
-            endpoint: pending.endpoint!,
-            gateway: pending.gateway!,
-            toolDefinition: pending.toolDefinition!,
-            outboundAuth: { type: 'OAUTH', credentialName: result.result.name },
+          const authType = pending.targetType === 'apiGateway' ? 'API_KEY' : 'OAUTH';
+          // Resume wizard at confirm step with the new credential attached
+          setFlow({
+            name: 'create-wizard',
+            resumeConfig: {
+              ...pending,
+              outboundAuth: { type: authType, credentialName: result.result.name },
+            },
+            resumeStep: 'confirm',
           });
         } else if (!result.ok) {
           setFlow({ name: 'error', message: result.error });
         }
       });
     },
-    [flow, createIdentity, handleCreateComplete]
+    [flow, createIdentity]
   );
 
   // Create wizard
@@ -135,21 +140,33 @@ export function AddGatewayTargetFlow({
         existingGateways={existingGateways}
         existingToolNames={existingToolNames}
         existingOAuthCredentialNames={oauthCredentialNames}
+        existingApiKeyCredentialNames={apiKeyCredentialNames}
         onComplete={handleCreateComplete}
         onCreateCredential={handleCreateCredential}
         onExit={onBack}
+        initialConfig={flow.resumeConfig}
+        initialStep={flow.resumeStep}
       />
     );
   }
 
   // Creating credential via identity screen
   if (flow.name === 'creating-credential') {
+    const resumeStep = flow.pendingConfig.targetType === 'apiGateway' ? 'api-gateway-auth' : 'outbound-auth';
     return (
       <AddIdentityScreen
         existingIdentityNames={existingIdentityNames}
         onComplete={handleIdentityComplete}
-        onExit={() => setFlow({ name: 'create-wizard' })}
-        initialType="OAuthCredentialProvider"
+        onExit={() =>
+          setFlow({
+            name: 'create-wizard',
+            resumeConfig: flow.pendingConfig,
+            resumeStep: resumeStep,
+          })
+        }
+        initialType={
+          flow.pendingConfig.targetType === 'apiGateway' ? 'ApiKeyCredentialProvider' : 'OAuthCredentialProvider'
+        }
       />
     );
   }