Getting Started

ThinkWork deploys entirely into your AWS account. There is no SaaS control plane, no shared infrastructure, and no black-box hosted harness. You own everything, the code runs in your VPC, data lives in your Aurora database, and models run through your Bedrock endpoint.

This guide walks you from zero to a running agent invoke. The point is not just that ThinkWork is powerful. It is that production-grade agent infrastructure can be straightforward to deploy without surrendering ownership of the runtime.

Prerequisites

Before you start, make sure you have:

• AWS account with the ability to create IAM roles, Lambda functions, Aurora clusters, and AppSync APIs
• AWS credentials configured locally (~/.aws/credentials or environment variables)
• Node.js 20+ — the CLI is distributed via npm
• Terraform 1.6+ — the CLI shells out to terraform under the hood
• Bedrock model access — enable at least one Claude model (e.g. anthropic.claude-3-5-sonnet-20241022-v2:0) in your target region

Tip

Run aws sts get-caller-identity to confirm your credentials are working before you proceed. The CLI will fail early with a clear error if credentials are missing, but it’s faster to check now.

Step 1 — Install the CLI

npm install -g thinkwork-cli

Confirm it installed correctly:

thinkwork --version
# 1.0.0

Step 2 — Login

thinkwork login connects the CLI to your AWS account and stores a named environment profile.

thinkwork login

You’ll be prompted for:

• Environment name — a short label for this deployment (e.g. dev, prod, acme-staging)
• AWS region — where to deploy (e.g. us-east-1)
• AWS profile — which profile from ~/.aws/credentials to use (or default)

Credentials are stored at ~/.thinkwork/environments/<name>.json. You can have multiple environments pointing at different accounts or regions.

# Log in to a second environment
thinkwork login
# When prompted, enter a different environment name and account

Step 3 — Initialize a deployment

thinkwork init scaffolds a ThinkWork deployment directory with a terraform.tfvars file and a local state configuration.

thinkwork init -s dev

This creates a thinkwork/ directory (or uses the current directory if you’re already inside one) with:

thinkwork/
├── terraform.tfvars        # Your deployment variables
├── .terraform.lock.hcl     # Provider lock file (committed to git)
└── .thinkwork/             # Local CLI metadata
    └── stage.json

Open terraform.tfvars and fill in the required values:

terraform.tfvars

stage       = "dev"
region      = "us-east-1"
account_id  = "123456789012"
db_password = "change-me-before-deploy"

# Optional — defaults shown
database_engine = "aurora-serverless"   # or "rds-postgres"
# enable_hindsight = true                # optional Hindsight add-on (ECS+ALB)

AgentCore managed memory is always on — every agent gets automatic per-turn retention with zero config. Set enable_hindsight = true to additionally provision the Hindsight ECS service for semantic + entity-graph retrieval alongside it.

Caution

Do not commit db_password to source control. Use a secrets manager or environment variable injection in CI. See Configuration Reference for all available variables.

Step 4 — Deploy

thinkwork deploy -s dev

This command runs terraform init followed by terraform apply inside the ThinkWork module. The first deploy provisions approximately 260 AWS resources across three tiers:

• Foundation — VPC, subnets, Cognito user pool, KMS keys, Route53 records
• Data — Aurora Postgres cluster, S3 buckets, Bedrock Knowledge Base
• App — AppSync API, API Gateway, AgentCore Lambda, Step Functions, SES

A typical first deploy takes 12–18 minutes. Subsequent deploys that don’t touch the database or VPC take 2–4 minutes.

thinkwork deploy -s dev

Initializing Terraform...
Planning changes...

  + 264 resources to create

Applying... this will take ~15 minutes on first deploy.

✓ Foundation tier complete (4m 12s)
✓ Data tier complete (6m 33s)
✓ App tier complete (3m 44s)

Deploy complete. Run `thinkwork outputs -s dev` to see endpoints.

Step 5 — Run doctor

thinkwork doctor validates your deployment end-to-end. It checks that every major service is reachable and configured correctly.

thinkwork doctor -s dev

thinkwork doctor -s dev

Checking deployment: dev (us-east-1)

  ✓ Terraform state readable
  ✓ Aurora cluster: available
  ✓ Cognito user pool: active
  ✓ AppSync API: reachable
  ✓ API Gateway: reachable
  ✓ AgentCore Lambda: responding
  ✓ Bedrock model access: anthropic.claude-3-5-sonnet-20241022-v2:0
  ✓ S3 skill bucket: accessible
  ✓ SES sending: verified

All checks passed.

If any check fails, doctor prints the specific error and a remediation hint.

Step 6 — Invoke your first agent

Use the GraphQL API to create a thread and send a message. Grab your AppSync endpoint from outputs:

thinkwork outputs -s dev

AppSync API URL:    https://abc123.appsync-api.us-east-1.amazonaws.com/graphql
API Gateway URL:    https://xyz789.execute-api.us-east-1.amazonaws.com
Admin App URL:      https://app.thinkwork.dev.example.com
Cognito Pool ID:    us-east-1_ABC123XYZ

Then send your first message. You can use the admin web app, a GraphQL client, or the test harness:

GraphQL (curl)

# 1. Create a thread
curl -X POST https://xyz789.execute-api.us-east-1.amazonaws.com/graphql \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "mutation CreateThread($input: CreateThreadInput!) { createThread(input: $input) { id prefix status } }",
    "variables": {
      "input": {
        "channel": "CHAT",
        "title": "My first thread"
      }
    }
  }'

# 2. Send a message
curl -X POST https://xyz789.execute-api.us-east-1.amazonaws.com/graphql \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "mutation SendMessage($input: SendMessageInput!) { sendMessage(input: $input) { id body role } }",
    "variables": {
      "input": {
        "threadId": "CHAT-0001",
        "body": "What can you help me with?"
      }
    }
  }'

Admin App

Navigate to your Admin App URL, sign in with your Cognito user, click New Thread, and type your first message. The agent response streams back in real time via AppSync subscription.

What’s next

• Read Concepts: Threads to understand the universal work container
• Read Concepts: Agents to understand how AgentCore, Bedrock, templates, and skill packs fit together
• Read Concepts: Memory to understand document knowledge, long-term memory, and retrieval context
• Read Concepts: Connectors to see how ThinkWork connects to external channels, events, and MCP-based tool systems
• See Deploy: Greenfield for a detailed walkthrough of what gets created
• See Deploy: BYO Infrastructure if you want to bring your own VPC, database, or Cognito