Amazon WorkLink

Name: Amazon WorkLink API
Brand: Amazon WorkLink
Availability: InStock

★ Only Publicly Available SpecIdentity AuthAuthorizationapiKey33 EndpointsREST

For Agents

Manage Amazon WorkLink fleets, domain associations, and identity provider configuration for legacy mobile-access deployments still in operation.

Quickstart

Get started with Amazon WorkLink in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"list amazon worklink fleets"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Amazon WorkLink API.

Create, describe, update, and delete WorkLink fleets

Associate and disassociate internal web domains with a fleet

Configure the company network (VPC, subnets, security groups) that WorkLink reaches into

Attach SAML identity provider metadata for user authentication

Manage trusted website certificate authorities and authorization providers

GET STARTED

Start building with Amazon WorkLink API

Explore with Jentic

View OpenAPI Spec

Use for: Create a new WorkLink fleet for a business unit, Associate an internal domain with a WorkLink fleet, List all devices currently registered to a fleet, Configure the SAML identity provider for a WorkLink fleet

Not supported: Does not handle desktop streaming, full VPN tunnelling, or device management for non-mobile clients — use for managing Amazon WorkLink mobile fleets, internal domains, and identity provider configuration only. Note: AWS announced WorkLink end-of-life on April 30, 2024.

Jentic publishes the only available OpenAPI specification for Amazon WorkLink, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for Amazon WorkLink, keeping it validated and agent-ready. Amazon WorkLink was a managed service that provided secure access to internal websites and web apps from iOS and Android phones without VPN clients or app distribution. The API manages fleets, associates internal domains, configures audit streams, registers website certificate authorities, attaches SAML identity providers, and lists devices. The 33 operations include Associate/Disassociate verbs for domains, certificate authorities, and authorization providers, and the standard fleet CRUD plus device listing. Note: AWS ended Amazon WorkLink on April 30, 2024 — this spec is provided for legacy automation maintenance only.

Use Cases

Patterns agents use Amazon WorkLink API for, with concrete tasks.

★ Operating a Legacy WorkLink Fleet

Customers still running an Amazon WorkLink deployment use this API to keep their fleets healthy through to migration. ListFleets and DescribeFleetMetadata enumerate fleets; ListDomains and DescribeDomain show their associated internal sites; ListDevices and DescribeDevice surface registered handsets. UpdateAuditStreamConfiguration keeps the access log flowing to Kinesis Data Streams for compliance until the workload is replaced.

Call ListFleets, then for each FleetArn call DescribeFleetMetadata and ListDomains, returning a per-fleet summary with domain count and device count.

Incident Response: Revoking Access

When a phone is lost or an employee leaves, revoke their access to internal apps in seconds. SignOutUser terminates active WorkLink sessions for a username; RevokeDomainAccess blocks an internal domain from being reached through the fleet during an incident. RestoreDomainAccess re-enables the domain once the incident is resolved.

Call SignOutUser with FleetArn and Username 'jane.doe@example.com', then RevokeDomainAccess with FleetArn and DomainName 'sensitive.internal.example.com'.

Migration Inventory Build

Before retiring WorkLink, capture a full inventory: fleets, domains, certificate authorities, authorization providers, devices, audit configuration, and identity provider metadata. The Describe* and List* operations together produce the source of truth for designing the replacement (e.g. a VPN with mobile MDM or a zero-trust application proxy).

For each fleet, call DescribeFleetMetadata, DescribeIdentityProviderConfiguration, DescribeCompanyNetworkConfiguration, DescribeAuditStreamConfiguration, ListDomains, ListWebsiteCertificateAuthorities, ListWebsiteAuthorizationProviders, and ListDevices, and aggregate into a JSON inventory.

Agent-Driven Fleet Operations via Jentic

Even on a legacy service, an operations agent can manage WorkLink through Jentic without holding AWS keys. The agent submits intents like 'list all worklink fleets and their device counts', Jentic loads ListFleets and ListDevices, executes them, and returns structured results. This pattern keeps the secret material out of the agent's context until the workload is finally migrated off WorkLink.

Through Jentic, search for 'list amazon worklink fleets', load ListFleets, execute it, then for each fleet load and call ListDevices.

Key Endpoints

33 endpoints — jentic publishes the only available openapi specification for amazon worklink, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

POST

/listFleets

List WorkLink fleets

POST

/createFleet

Create a WorkLink fleet

POST

/associateDomain

Associate an internal domain with a fleet

POST

/listDevices

List devices registered to a fleet

POST

/signOutUser

Sign a user out of WorkLink sessions

POST

/revokeDomainAccess

Revoke access to an internal domain

POST

/listFleets

List WorkLink fleets

POST

/createFleet

Create a WorkLink fleet

POST

/associateDomain

Associate an internal domain with a fleet

POST

/listDevices

List devices registered to a fleet

POST

/signOutUser

Sign a user out of WorkLink sessions

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AWS access keys for Amazon WorkLink (used to compute the AWS Signature v4 HMAC in the Authorization header) are held encrypted in the Jentic vault. Agents receive scoped, short-lived execution permissions; the raw access key ID and secret access key never enter the agent's prompt or memory.

Intent-based discovery

Agents call Jentic with an intent like 'list amazon worklink fleets' and Jentic returns the matching Amazon WorkLink operation along with its input schema, so the agent can invoke the right action without parsing AWS service docs.

Time to first call

Direct integration with Amazon WorkLink: 2-4 days to wire up SigV4 signing, error handling, retries, and IAM scoping. Through Jentic: under an hour — search by intent, load the operation schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Alternative

AWS Single Sign-On

AWS SSO provides modern workforce identity and SAML federation that supersedes WorkLink's identity model.

Choose AWS SSO for new workforce identity work; use WorkLink only when maintaining legacy fleets.

Complementary

Amazon Cognito Identity

Cognito Identity issues AWS credentials to mobile apps, complementing WorkLink's web-app reach into corporate intranets.

Use Cognito for user-facing mobile apps; use WorkLink (where still active) for intranet web access from mobile.

Complementary

AWS CloudTrail

CloudTrail records WorkLink management API events for audit and incident response.

Use CloudTrail to track who modified a WorkLink fleet during a change window.

FAQs

Specific to using Amazon WorkLink API through Jentic.

Why is there no official OpenAPI spec for Amazon WorkLink?

AWS does not publish an OpenAPI specification for Amazon WorkLink; it ships Smithy models and language-specific SDKs instead. Jentic generates and maintains this OpenAPI spec so that AI agents and developers can call Amazon WorkLink via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does Amazon WorkLink use?

WorkLink uses AWS SigV4 in the Authorization header. The IAM principal needs worklink:* permissions on the relevant fleet ARN. Through Jentic, your AWS keys stay in the vault and Jentic signs each request.

Can I still use Amazon WorkLink?

AWS announced end-of-life for Amazon WorkLink on April 30, 2024. This API is documented for customers maintaining or migrating off existing fleets; new deployments should use a VPN, AWS Verified Access, or another zero-trust application proxy.

What are the rate limits for the WorkLink API?

WorkLink has modest management-API throughput intended for fleet administration: a few transactions per second per account. Throttling responses use the standard ThrottlingException; retry with exponential back-off.

How do I list WorkLink fleets through Jentic?

Search Jentic with 'list amazon worklink fleets', load ListFleets, and execute it (paginating with NextToken if needed). Jentic returns the FleetSummaryList with each fleet's ARN, name, and creation time.

Can I sign a user out of all WorkLink sessions at once?

Yes. SignOutUser with FleetArn and Username terminates the user's active WorkLink sessions on every device for that fleet. Pair with RevokeDomainAccess if you also need to block specific internal domains.

Does WorkLink support SAML for user authentication?

Yes. Use UpdateIdentityProviderConfiguration to attach SAML metadata for the fleet; users then authenticate to internal apps with their corporate SSO. DescribeIdentityProviderConfiguration returns the current SAML metadata document URL.