Skip to main content
Configuration for JWT verification when RBAC authorization is enabled on AgentOS.

Import

from agno.os.config import AuthorizationConfig

Parameters

ParameterTypeDefaultDescription
verification_keysOptional[List[str]]NoneList of keys used to verify JWT signatures. For asymmetric algorithms (e.g. RS256), use public keys. For symmetric algorithms (e.g. HS256), use shared secrets. Each key is tried in order until one succeeds. Useful for accepting tokens from multiple issuers.
jwks_fileOptional[str]NonePath to a static JWKS (JSON Web Key Set) file containing public keys. Keys are matched by kid (key ID) from the JWT header. Alternative to verification_keys for RSA key management.
algorithmOptional[str]"RS256"JWT algorithm for token verification. Common options: RS256 (asymmetric), HS256 (symmetric).
verify_audienceOptional[bool]FalseWhether to verify the JWT’s aud claim matches the expected audience.
audienceOptional[str]AgentOS idExpected audience claim. When verify_audience=True, the token’s aud must match this value. Defaults to the AgentOS id.
admin_scopeOptional[str]"agent_os:admin"The scope that grants full admin access. Holders bypass user isolation and can access all data.
user_isolationboolFalseOpt-in per-user data isolation. When True, non-admin callers can only read and write rows associated with their JWT sub claim. Affects sessions, memories, traces, and cancel/resume/continue routes.

Usage

from agno.os import AgentOS
from agno.os.config import AuthorizationConfig

agent_os = AgentOS(
    id="my-agent-os",
    agents=[my_agent],
    authorization=True,
    authorization_config=AuthorizationConfig(
        verification_keys=["your-public-key-or-secret"],
        algorithm="RS256",
    ),
)

Algorithm Options

AlgorithmTypeKey Format
RS256Asymmetric (RSA)Public key (PEM format)
RS384Asymmetric (RSA)Public key (PEM format)
RS512Asymmetric (RSA)Public key (PEM format)
HS256Symmetric (HMAC)Shared secret string
HS384Symmetric (HMAC)Shared secret string
HS512Symmetric (HMAC)Shared secret string
ES256Asymmetric (ECDSA)Public key (PEM format)
ES384Asymmetric (ECDSA)Public key (PEM format)
ES512Asymmetric (ECDSA)Public key (PEM format)

Examples

Using RS256 (Asymmetric)

# RS256 with a public key
authorization_config = AuthorizationConfig(
    verification_keys=["""-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----"""],
    algorithm="RS256",
)

Using HS256 (Symmetric)

# HS256 with a shared secret
authorization_config = AuthorizationConfig(
    verification_keys=["your-256-bit-secret-key"],
    algorithm="HS256",
)

Using JWKS File

# RS256 with a JWKS file
authorization_config = AuthorizationConfig(
    jwks_file="/path/to/jwks.json",
    algorithm="RS256",
)
The JWKS file should follow the standard format: 
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "my-key-id",
      "use": "sig",
      "alg": "RS256",
      "n": "0vx7agoebGc...",
      "e": "AQAB"
    }
  ]
}

See Also