Skip to main content
AgentOS supports two security mechanisms:

Basic Authentication

Set the OS_SECURITY_KEY environment variable:
Requests without a valid Authorization: Bearer <key> header return 401 Unauthorized.

Role-Based Access Control (RBAC)

RBAC validates JWT tokens and checks scopes against required permissions for each endpoint. Enable it with authorization=True:
Set the JWT_VERIFICATION_KEY environment variable to your public key:
You can generate a key pair from the control plane when connecting a new OS or from the Settings page for an existing OS. Requests without a valid JWT return 401 Unauthorized. Requests with insufficient scopes return 403 Forbidden. See RBAC Documentation for scope format, available scopes, and endpoint mappings.

RBAC Documentation

Complete scopes, permissions, and access control configuration.

JWT Middleware

JWT authentication with parameter injection and claims extraction.