Articles

Call External APIs from EventBridge with API Destinations and OAuth (2026)

April 16, 2026 3 min read

EventBridge API Destinations with OAuth are the secret sauce for letting AWS services talk securely to your external APIs without needing to manage credentials yourself.

Let’s see it in action. Imagine you have a webhook endpoint at https://my-external-service.com/api/v1/events. You want to send a UserCreated event from EventBridge to this endpoint.

First, you’ll need to configure your external service to issue OAuth 2.0 tokens. This usually involves registering your AWS EventBridge API Destination as an OAuth client. The details vary by provider, but you’ll typically get a client_id, client_secret, and an access token URL (e.g., https://my-external-service.com/oauth/token).

In AWS, you’ll create an ApiDestination resource.

aws events put-api-destination \
    --name MyExternalApiDestination \
    --api-destination-type HTTP \
    --invocation-endpoint "https://my-external-service.com/api/v1/events" \
    --http-method POST \
    --connection-arn arn:aws:events:us-east-1:123456789012:connection/MyOAuthConnection/abcdef123456 \
    --invocation-rate-limit-per-second 10 \
    --invocation-timeout 30

The crucial part here is the connection-arn. This Connection resource in AWS handles the OAuth flow. You create it separately:

aws events create-connection \
    --name MyOAuthConnection \
    --authorization-type OAUTH_CLIENT_CREDENTIALS \
    --o-auth-parameters "ClientCredentials={ClientSecret='YOUR_CLIENT_SECRET',ClientId='YOUR_CLIENT_ID'},TokenEndpoint='https://my-external-service.com/oauth/token'" \
    --description "Connection for MyExternalApiDestination"

Replace YOUR_CLIENT_SECRET and YOUR_CLIENT_ID with the actual credentials from your external service.

Now, create a Target for your EventBridge Rule. This target will point to the ApiDestination you just created.

aws events put-targets \
    --rule MyUserCreatedRule \
    --event-bus-name default \
    --targets "Id"="MyExternalApiTarget","Arn"="arn:aws:events:us-east-1:123456789012:api-destination/MyExternalApiDestination"

When an event matching MyUserCreatedRule fires, EventBridge will:

  1. Look up the ApiDestination named MyExternalApiDestination.
  2. Use the associated Connection (MyOAuthConnection) to get an OAuth 2.0 access token. It does this by making a POST request to the TokenEndpoint (https://my-external-service.com/oauth/token) with the client_id and client_secret.
  3. Once it has the access token, it makes a POST request to the invocation-endpoint (https://my-external-service.com/api/v1/events), including the access token in the Authorization: Bearer <access_token> header.
  4. If the token expires, the Connection automatically handles refreshing it.

The invocation-rate-limit-per-second and invocation-timeout on the ApiDestination control how EventBridge interacts with your external API, preventing overload and ensuring timely responses.

The most surprising thing is how seamlessly EventBridge manages the token lifecycle. You don’t write any code to poll for token expiration or manually request new ones. The Connection resource is stateful and handles all of that complexity for you behind the scenes, making it feel like a direct HTTP call but with robust, managed security. This means your EventBridge rules can reliably trigger actions in external systems without you ever needing to think about rotating API keys or managing bearer tokens.

The next step is to learn how to transform event payloads before sending them to your external API using EventBridge Input Transformers.

Want structured learning?

Take the full Eventbridge course →