- Token Validation: Validates JWT tokens and handles authentication
- Parameter Injection: Automatically injects user_id, session_id, and custom claims into endpoint parameters
- RBAC Authorization: Validates scopes against required permissions for each endpoint
jwt_middleware_setup.py
Token Sources
The middleware supports three token sources:- Both Sources
JWKS File Support
For environments using RSA keys managed via JWKS (JSON Web Key Set), you can point to a static JWKS file instead of providing raw public keys:jwks_file_setup.py
- Load public keys from the JWKS file at startup
- Match incoming tokens by their
kid(key ID) header claim - Validate signatures using the appropriate key
JWKS File Format
The JWKS file should follow the standard format:Environment Variable
You can also set the JWKS file path via environment variable:JWKS keys are tried first (matched by
kid). If no matching key is found, the middleware falls back to verification_keys if provided.Parameter Injection
The middleware automatically injects JWT claims into AgentOS endpoints. The following parameters are extracted from tokens and injected into requests:user_id- User identifier from token claimssession_id- Session identifier from token claimsdependencies- Custom claims for agent toolssession_state- Custom claims for session management
/agents/{agent_id}/runs endpoint automatically uses user_id, session_id, dependencies, and session_state from the JWT token when available.
This is useful for:
- Automatically using the
user_idandsession_idfrom your JWT token when running an agent - Automatically filtering sessions retrieved from
/sessionsendpoints byuser_id(where applicable) - Automatically injecting
dependenciesfrom claims in your JWT token into the agent run, which then is available on tools called by your agent
Security Features
Use strong verification keys, store them securely (not in code), and enable validation in production.
validate=True, the middleware:
- Verifies JWT signature using the verification key
- Checks token expiration (
expclaim) - Returns 401 errors for invalid/expired tokens
verify_audience=True, the middleware:
- If
audienceis provided, it will validate the token’s audience claim matches the expected audience claim - If
audienceis not provided, it will validate the token’s audience claim matches the AgentOS ID - Optionally set the
audience_claimto validate a custom audience claim - Returns 401 for tokens with mismatched audience
RBAC Authorization
Enable Role-Based Access Control (RBAC) to validate JWT scopes against required permissions:jwt_with_rbac.py
authorization=True, the middleware:
- Checks the
scopesclaim in JWT tokens - Validates scopes against required permissions for each endpoint
- Returns 403 Forbidden for insufficient permissions
Scope Format
Custom Scope Mappings
Override or extend default scope mappings:custom_scope_mappings.py
Excluded Routes
Skip middleware for specific routes:jwt_excluded_routes.py
Configuration Options
See the JWTMiddleware Reference for the complete list of configuration options.Authentication Options
Token Source Options
Claim Extraction Options
Authorization Options (RBAC)
Examples
JWT with Headers
JWT authentication using Authorization headers for API clients.
JWT with Cookies
JWT authentication using HTTP-only cookies for web applications.
Custom FastAPI + JWT
Custom FastAPI app with JWT middleware and AgentOS integration.
RBAC Documentation
Detailed RBAC scopes, permissions, and access control configuration.
JWTMiddleware Reference
Complete JWT middleware class reference.
External Resources
PyJWT Documentation
Official PyJWT library documentation for JWT encoding and decoding.