Security & Auth

AgentOS supports two security modes:

Mode	When to use
Authorization (Recommended)	Production. JWTs prove identity and scopes control permissions.
Basic Authentication	Development. A shared key proves identity.

Authorization

AgentOS validates JWT tokens and checks scopes against required permissions for each endpoint. Enable it with authorization=True:

from agno.os import AgentOS

agent_os = AgentOS(
    id="my-agent-os",
    agents=[my_agent],
    authorization=True,
)

Tokens can be issued by the AgentOS control plane, your own backend, or a third-party identity provider like WorkOS, Auth0, or Okta. Requests without a valid JWT return 401 Unauthorized; requests with insufficient scopes return 403 Forbidden. See Authorization for the full setup.

Basic Authentication

Set a shared secret in the OS_SECURITY_KEY environment variable:

export OS_SECURITY_KEY="your-secret-key"

Requests without a valid Authorization: Bearer <key> header return 401 Unauthorized. This is the simplest path to a protected AgentOS, suitable for local development or single-team prototypes. For production deployments, use Authorization instead.

Next Steps

Authorization

JWT validation, scopes, roles, and per-user data isolation.

JWT Middleware

Token sources, claim extraction, and parameter injection.

AgentOS Control Plane Overview

⌘I

​Authorization

​Basic Authentication

​Next Steps

Authorization

JWT Middleware

Authorization

Basic Authentication

Next Steps