Skip to main content
from agno.agent import Agent
from agno.models.openai import OpenAIResponses
from agno.os import AgentOS


agent = Agent(
    id="my-agent",
    model=OpenAIResponses(id="gpt-5.2"),
)

agent_os = AgentOS(
    id="my-agent-os",
    agents=[agent],
    authorization=True,
)

app = agent_os.get_app()
authorization=True enables JWT verification. AgentOS also needs a public key to verify tokens against. Generate one from the control plane and wire it in.

Generate a Verification Key

1

Toggle JWT authorization

Enable JWT authorization when connecting a new AgentOS, or later from the OS Settings page.
2

Copy the public key

Copy the public key for your AgentOS from the modal.
3

Set the verification key

Set the JWT_VERIFICATION_KEY environment variable to your public key in your .env file or export it directly in your terminal:
export JWT_VERIFICATION_KEY="your-public-key"
Or, if you manage keys via a JWKS file, point AgentOS at it instead:
export JWT_JWKS_FILE="/path/to/jwks.json"
Authorization is now active for your AgentOS.
The control plane only issues RS256 keys, which is also the default. See authorization troubleshooting for common setup issues.

Configuration Options

Configure JWT verification using AuthorizationConfig: 
from agno.os import AgentOS
from agno.os.config import AuthorizationConfig

agent_os = AgentOS(
    id="my-agent-os",
    agents=[agent],
    authorization=True,
    authorization_config=AuthorizationConfig(
        verification_keys=["your-jwt-verification-key"],
        algorithm="RS256",
    ),
)
Use a JWKS file instead: 
authorization_config=AuthorizationConfig(
    jwks_file="/path/to/jwks.json",
    algorithm="RS256",
)

Environment Variables

VariablePurpose
JWT_VERIFICATION_KEYSingle public key or shared secret. Added to verification_keys.
JWT_JWKS_FILEPath to a static JWKS file.
JWT_JWKSInline JWKS JSON.
Env vars work alongside AuthorizationConfig. Pass keys in code, env vars, or both.

Sending Authenticated Requests

Send the token in the Authorization header: 
curl -H "Authorization: Bearer $TOKEN" http://localhost:7777/agents

Excluded Routes

These routes are excluded from authorization checks by default: /, /health, /info, /docs, /redoc, /openapi.json, /docs/oauth2-redirect

Error Responses

Status CodeDescription
401 UnauthorizedMissing or invalid JWT token
403 ForbiddenInsufficient scopes for the requested operation

Next Steps

TaskGuide
Understand JWT claim structureTokens
Issue tokens from your own backendSelf-Hosted
See the full scope referenceScopes
Assign roles to usersRoles