AuthorizationConfig

Configuration for JWT verification when RBAC authorization is enabled on AgentOS.

Import

from agno.os.config import AuthorizationConfig

Parameters

Parameter	Type	Default	Description
`verification_keys`	`Optional[List[str]]`	`None`	List of keys used to verify JWT signatures. For asymmetric algorithms (e.g. RS256), use public keys. For symmetric algorithms (e.g. HS256), use shared secrets. Each key is tried in order until one succeeds. Useful for accepting tokens from multiple issuers.
`jwks_file`	`Optional[str]`	`None`	Path to a static JWKS (JSON Web Key Set) file containing public keys. Keys are matched by `kid` (key ID) from the JWT header. Alternative to `verification_keys` for RSA key management.
`algorithm`	`Optional[str]`	`"RS256"`	JWT algorithm for token verification. Common options: `RS256` (asymmetric), `HS256` (symmetric).
`verify_audience`	`Optional[bool]`	`False`	Whether to verify the JWT’s `aud` claim matches the expected audience.
`audience`	`Optional[str]`	AgentOS `id`	Expected audience claim. When `verify_audience=True`, the token’s `aud` must match this value. Defaults to the AgentOS `id`.
`admin_scope`	`Optional[str]`	`"agent_os:admin"`	The scope that grants full admin access. Holders bypass user isolation and can access all data.
`user_isolation`	`bool`	`False`	Opt-in per-user data isolation. When `True`, non-admin callers can only read and write rows associated with their JWT `sub` claim. Affects sessions, memories, traces, and cancel/resume/continue routes.

Usage

from agno.os import AgentOS
from agno.os.config import AuthorizationConfig

agent_os = AgentOS(
    id="my-agent-os",
    agents=[my_agent],
    authorization=True,
    authorization_config=AuthorizationConfig(
        verification_keys=["your-public-key-or-secret"],
        algorithm="RS256",
    ),
)

Algorithm Options

Algorithm	Type	Key Format
`RS256`	Asymmetric (RSA)	Public key (PEM format)
`RS384`	Asymmetric (RSA)	Public key (PEM format)
`RS512`	Asymmetric (RSA)	Public key (PEM format)
`HS256`	Symmetric (HMAC)	Shared secret string
`HS384`	Symmetric (HMAC)	Shared secret string
`HS512`	Symmetric (HMAC)	Shared secret string
`ES256`	Asymmetric (ECDSA)	Public key (PEM format)
`ES384`	Asymmetric (ECDSA)	Public key (PEM format)
`ES512`	Asymmetric (ECDSA)	Public key (PEM format)

Examples

Using RS256 (Asymmetric)

# RS256 with a public key
authorization_config = AuthorizationConfig(
    verification_keys=["""-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----"""],
    algorithm="RS256",
)

Using HS256 (Symmetric)

# HS256 with a shared secret
authorization_config = AuthorizationConfig(
    verification_keys=["your-256-bit-secret-key"],
    algorithm="HS256",
)

Using JWKS File

# RS256 with a JWKS file
authorization_config = AuthorizationConfig(
    jwks_file="/path/to/jwks.json",
    algorithm="RS256",
)

The JWKS file should follow the standard format:

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "my-key-id",
      "use": "sig",
      "alg": "RS256",
      "n": "0vx7agoebGc...",
      "e": "AQAB"
    }
  ]
}

​Import

​Parameters

​Usage

​Algorithm Options

​Examples

​Using RS256 (Asymmetric)

​Using HS256 (Symmetric)

​Using JWKS File

​See Also

Import

Parameters

Usage

Algorithm Options

Examples

Using RS256 (Asymmetric)

Using HS256 (Symmetric)

Using JWKS File

See Also