Skip to main content
Configuration for JWT verification when RBAC authorization is enabled on AgentOS.

Import

from agno.os.config import AuthorizationConfig

Parameters

ParameterTypeDefaultDescription
verification_keysOptional[List[str]]NoneList of keys used to verify JWT signatures. For asymmetric algorithms (e.g. RS256), use public keys. For symmetric algorithms (e.g. HS256), use shared secrets. Each key is tried in order until one succeeds - useful for accepting tokens from multiple issuers.
jwks_fileOptional[str]NonePath to a static JWKS (JSON Web Key Set) file containing public keys. Keys are matched by kid (key ID) from the JWT header. Alternative to verification_keys for RSA key management.
algorithmOptional[str]RS256JWT algorithm for token verification. Common options: RS256 (asymmetric), HS256 (symmetric).
verify_audienceOptional[bool]FalseWhether to verify the audience claim of the JWT token. This should not be enabled for AgentOS Control Plane traffic.

Usage

from agno.os import AgentOS
from agno.os.config import AuthorizationConfig

agent_os = AgentOS(
    id="my-agent-os",
    agents=[my_agent],
    authorization=True,
    authorization_config=AuthorizationConfig(
        verification_keys=["your-public-key-or-secret"],
        algorithm="RS256",
    ),
)

Algorithm Options

AlgorithmTypeKey Format
RS256Asymmetric (RSA)Public key (PEM format)
RS384Asymmetric (RSA)Public key (PEM format)
RS512Asymmetric (RSA)Public key (PEM format)
HS256Symmetric (HMAC)Shared secret string
HS384Symmetric (HMAC)Shared secret string
HS512Symmetric (HMAC)Shared secret string
ES256Asymmetric (ECDSA)Public key (PEM format)
ES384Asymmetric (ECDSA)Public key (PEM format)
ES512Asymmetric (ECDSA)Public key (PEM format)

Examples

Using RS256 (Asymmetric)

# RS256 with a public key
authorization_config = AuthorizationConfig(
    verification_keys=["""-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----"""],
    algorithm="RS256",
)

Using HS256 (Symmetric)

# HS256 with a shared secret
authorization_config = AuthorizationConfig(
    verification_keys=["your-256-bit-secret-key"],
    algorithm="HS256",
)

Using JWKS File

# RS256 with a JWKS file
authorization_config = AuthorizationConfig(
    jwks_file="/path/to/jwks.json",
    algorithm="RS256",
)
The JWKS file should follow the standard format: 
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "my-key-id",
      "use": "sig",
      "alg": "RS256",
      "n": "0vx7agoebGc...",
      "e": "AQAB"
    }
  ]
}

See Also