Skip to main content
Authenticate and authorize requests to your AgentOS application using JWT tokens. The middleware extracts tokens from Authorization headers or cookies, validates them, and automatically injects user_id, session_id, and custom claims into your endpoints. The JWT middleware provides three main features:
  1. Token Validation: Validates JWT tokens and handles authentication
  2. Parameter Injection: Automatically injects user_id, session_id, and custom claims into endpoint parameters
  3. RBAC Authorization: Validates scopes against required permissions for each endpoint
jwt_middleware_setup.py

Token Sources

The middleware supports three token sources:
Extract JWT from Authorization: Bearer <token> header.

JWKS File Support

For environments using RSA keys managed via JWKS (JSON Web Key Set), you can point to a static JWKS file instead of providing raw public keys:
jwks_file_setup.py
The middleware will:
  1. Load public keys from the JWKS file at startup
  2. Match incoming tokens by their kid (key ID) header claim
  3. Validate signatures using the appropriate key

JWKS File Format

The JWKS file should follow the standard format:

Environment Variable

You can also set the JWKS file path via environment variable:
JWKS keys are tried first (matched by kid). If no matching key is found, the middleware falls back to verification_keys if provided.

Parameter Injection

The middleware automatically injects JWT claims into AgentOS endpoints. The following parameters are extracted from tokens and injected into requests:
  • user_id - User identifier from token claims
  • session_id - Session identifier from token claims
  • dependencies - Custom claims for agent tools
  • session_state - Custom claims for session management
For example, the /agents/{agent_id}/runs endpoint automatically uses user_id, session_id, dependencies, and session_state from the JWT token when available. This is useful for:
  • Automatically using the user_id and session_id from your JWT token when running an agent
  • Automatically filtering sessions retrieved from /sessions endpoints by user_id (where applicable)
  • Automatically injecting dependencies from claims in your JWT token into the agent run, which then is available on tools called by your agent
View the full example for more details.

Security Features

Use strong verification keys, store them securely (not in code), and enable validation in production.
Token Validation: When validate=True, the middleware:
  • Verifies JWT signature using the verification key
  • Checks token expiration (exp claim)
  • Returns 401 errors for invalid/expired tokens
Audience Verification: When verify_audience=True, the middleware:
  • If audience is provided, it will validate the token’s audience claim matches the expected audience claim
  • If audience is not provided, it will validate the token’s audience claim matches the AgentOS ID
  • Optionally set the audience_claim to validate a custom audience claim
  • Returns 401 for tokens with mismatched audience
HTTP-Only Cookies: When using cookies:
  • Set httponly=True to prevent JavaScript access (XSS protection)
  • Set secure=True for HTTPS-only transmission
  • Set samesite="strict" for CSRF protection

RBAC Authorization

Enable Role-Based Access Control (RBAC) to validate JWT scopes against required permissions:
jwt_with_rbac.py
When authorization=True, the middleware:
  • Checks the scopes claim in JWT tokens
  • Validates scopes against required permissions for each endpoint
  • Returns 403 Forbidden for insufficient permissions

Scope Format

Custom Scope Mappings

Override or extend default scope mappings:
custom_scope_mappings.py
For detailed RBAC documentation including all available scopes and default mappings, see RBAC Documentation.

Excluded Routes

Skip middleware for specific routes:
jwt_excluded_routes.py

Configuration Options

See the JWTMiddleware Reference for the complete list of configuration options.

Authentication Options

Token Source Options

Claim Extraction Options

Authorization Options (RBAC)

Examples

JWT with Headers

JWT authentication using Authorization headers for API clients.

JWT with Cookies

JWT authentication using HTTP-only cookies for web applications.

Custom FastAPI + JWT

Custom FastAPI app with JWT middleware and AgentOS integration.

RBAC Documentation

Detailed RBAC scopes, permissions, and access control configuration.

JWTMiddleware Reference

Complete JWT middleware class reference.

External Resources

PyJWT Documentation

Official PyJWT library documentation for JWT encoding and decoding.