Skip to main content
AgentOS security works in layers. Each one stops a different class of attack, from unauthenticated requests at the edge to cross-user data access in the database. AgentOS give you good defaults at every layer
Network-layer controls (rate limiting, WAF, IP allowlists, mTLS) live at your reverse proxy or API gateway layer.

Authentication

A production AgentOS sits behind JWT-validating middleware. Every request carries a token signed by the control plane; your service verifies it with a public key.
authorization=True drives both layers:
  • Authentication (this section): requires a valid JWT on every request.
  • Authorization (below): enforces the token’s scopes per endpoint.
A small set of public routes are exempt from the JWT requirement: /, /health, /info, /docs, /redoc, /openapi.json, /docs/oauth2-redirect.

Get a JWT_VERIFICATION_KEY

1

Toggle JWT authorization

Open os.agno.comAdd OSLive → paste your URL. Enable JWT authorization when connecting a new AgentOS, or later from the OS Settings page.
2

Copy the public key

Copy the public key for your AgentOS from the modal.
3

Set the verification key

Set the JWT_VERIFICATION_KEY environment variable to your public key in your .env file or export it directly in your terminal:
Or, if you manage keys via a JWKS file, point AgentOS at it instead:
The control plane keeps the private key. Your service only ever sees the public key. JWTs are signed by the control plane and verified by your service. See Generate a Verification Key for the full walkthrough.

Custom JWT configuration

If you’re issuing JWTs from your own auth provider, pass an AuthorizationConfig:
verification_keys is a list, so you can rotate keys without downtime. Old tokens validate against the old key, and new tokens against the new. Drop the old key once tokens have expired. With verify_audience=True, AgentOS rejects tokens whose aud claim doesn’t match the expected audience. That expected value defaults to the AgentOS id; set audience to override it when your provider mints a different value. JWT claim names (scopes, sub) are configured on the JWT middleware itself, not on AuthorizationConfig. The defaults (scopes for the scopes claim, sub for the user id claim) match the tokens minted by the control plane.

Authorization (RBAC scopes)

Every JWT carries a scopes claim. Endpoints are gated on scopes. The control plane mints each token with the appropriate scopes. Scopes are bundled into roles and assigned to users in the control plane: AgentOS ships three default roles (owner, admin, member), and custom roles are available on Enterprise. See the RBAC scope reference for the full scope list, Default Roles for what each grants, and Custom Roles to compose your own.

Request isolation

Every request gets a fresh copy of the agent, team, or workflow it’s hitting. AgentOS calls deep_copy() on the registered component per request, so mutable state (session-scoped variables, tool execution context, run metadata) never bleeds between concurrent calls. Heavy resources (the DB connection, the model client, MCP tool handles) are shared by reference; only the mutable per-run state is isolated. You get cheap concurrency without the footgun of two requests racing on the same in-memory agent instance. This is on by default for every run endpoint. There’s nothing to configure.

User isolation

Per-user data isolation is opt-in. RBAC stays in force without it, but routes operate on the unscoped DB. A caller with agents:my-agent:run could read another user’s sessions if they know the IDs. For multi-tenant deployments, turn it on:
With user_isolation=True, every non-admin caller gets: Admin callers (whoever holds the configured admin_scope, defaulting to agent_os:admin) bypass all of the above and see the full unscoped view: service accounts, internal tooling, the control plane. Per-user isolation requires a database that records user_id (PostgreSQL recommended for production).

Defaults

See the AuthorizationConfig reference for all configuration options and their defaults.