Deploy Arcade on AWS
Arcade runs on AWS as a full platform deployment into your own AWS . The AWS offering is currently available through a private offer rather than a public self-serve listing.
AWS is available by private offer today. Request access and we’ll share a private offer and the deployment details for your . If you’d rather manage the platform yourself, see Self-host with Helm.
What gets deployed
The AWS deployment stands up the complete Arcade platform — Engine, Coordinator, Worker, Dashboard, and Experience API — in your , using managed AWS services:
| AWS service | Role |
|---|---|
| Amazon EKS | Runs the Arcade services |
| Amazon RDS for PostgreSQL | Primary datastore |
| Amazon ElastiCache | Cache and streams |
| VPC + private subnets | Private networking |
Before you begin
- AWS with permission to accept a Marketplace private offer and deploy the stack.
- Region. Confirm the offer targets your preferred region.
- Identity provider. Have an OIDC identity provider ready — see below.
The exact prerequisites, parameters, and deployment steps for AWS are being finalized. The steps below are a high-level outline — contact us for the current, -specific instructions.
Set up your identity provider
Arcade signs users in through your OpenID Connect (OIDC) identity provider. The provider authenticates dashboard users and backs the tokens that MCP gateways validate, so you set it up before you deploy.
- Register an application with your identity provider. Arcade works with Microsoft Entra ID, Okta, Auth0, or Keycloak, or any standards-compliant OIDC provider.
- Copy the application's client ID, generate a client secret, and note the issuer URL. For Microsoft Entra ID, use the v2.0 issuer
https://login.microsoftonline.com/<tenant-id>/v2.0. - Provide the client ID, client secret, and issuer in the deployment parameters.
- After the deployment finishes, register the redirect URI from the deployment output — typically
https://coordinator.<your-hostname>/signin/oidc/callback— as a redirect (reply) URI on the application, then sign in to the dashboard.
AADSTS500113: No reply address is registered for the application, the redirect URI has not been added to your identity provider application yet. Add it and try again.Deploy
Accept the private offer
Follow the private-offer link we share to subscribe to the Arcade listing in AWS Marketplace.
Launch the deployment
Launch the deployment and provide your parameters, including your identity provider’s client ID, client secret, and issuer.
Register the redirect URI
Once the deployment finishes and reports your hostname, register the redirect URI on your identity provider application, as described in Set up your identity provider.
Verify your deployment
Open the dashboard URL from the deployment output and sign in with your identity provider.
Next steps
- Create an MCP Gateway to scope and auth for each client
- Connect an MCP client to a gateway URL
- Set up a User Source to authenticate end with your own identity provider