Skip to main content
AgentOS validates JWT scopes against required permissions for each endpoint. Control who can access and run your agents, teams, and workflows. JWT verification flow

Quick Start

Enable RBAC when initializing AgentOS:
Set the JWT_VERIFICATION_KEY environment variable to your public key in your .env file or export it directly in your terminal:

Scope Format

RBAC uses a hierarchical scope format:

Complete Scope Reference

Admin Scopes

System Scopes

Agent Scopes

Team Scopes

Workflow Scopes

Session Scopes

Memory Scopes

Knowledge Scopes

Metrics Scopes

Evaluation Scopes

Trace Scopes

Schedule Scopes

Approval Scopes

Default Scope Mappings

AgentOS automatically maps endpoints to required scopes.

Custom Scope Mappings

Customize or extend the default scope mappings using the JWT middleware:
Custom scope mappings are additive to the defaults. To override a default, specify the same route pattern with your custom scopes.

JWT Token Structure

Your JWT tokens should include:

Example Tokens

Read-only access:
Run a specific agent:
Admin access:

Configuration Options

Configure JWT verification using AuthorizationConfig:
You can also use a JWKS file:
Or set environment variables:

Excluded Routes

These routes are excluded from RBAC checks by default: /, /health, /docs, /redoc, /openapi.json, /docs/oauth2-redirect

Error Responses

Examples

Basic RBAC

Basic RBAC example

Per-Agent Permissions

Grant specific permissions to specific agents

Developer Resources

AuthorizationConfig Reference

Configuration options for JWT verification

JWTMiddleware Reference

Complete JWT middleware class reference