Network-layer controls (rate limiting, WAF, IP allowlists, mTLS) live at your reverse proxy or API gateway layer.
Authentication
A production AgentOS sits behind JWT-validating middleware. Tokens can come from the AgentOS control plane, your own backend, or a third-party identity provider. Your service verifies them with the matching public key. See Self-Hosted for BYO and third-party setup.authorization=True drives both layers:
- Authentication (this section): requires a valid JWT on every request.
- Authorization (below): enforces the token’s scopes per endpoint.
/, /health, /info, /docs, /redoc, /openapi.json, /docs/oauth2-redirect.
Generate a Verification Key from the Control Plane
1
Toggle JWT authorization
Open os.agno.com → Add OS → Live → paste your URL. Enable JWT authorization when connecting a new AgentOS, or later from the OS Settings page.
2
Copy the public key
Copy the public key for your AgentOS from the modal.
3
Set the verification key
Set the Or, if you manage keys via a JWKS file, point AgentOS at it instead:
JWT_VERIFICATION_KEY environment variable to your public key in your .env file or export it directly in your terminal:Configure JWTs from Your Backend or IDP
If you’re issuing JWTs from your own backend, or from a third-party identity provider like WorkOS, Auth0, or Okta, pass anAuthorizationConfig:
verification_keys is a list. AgentOS tries each key in order until one verifies the token, so you can accept tokens from multiple issuers at the same time. For key rotation, use a JWKS file instead.
With verify_audience=True, AgentOS rejects tokens whose aud claim doesn’t match the expected audience. That expected value defaults to the AgentOS id; set audience to override it when your provider mints a different value.
JWT claim names (scopes, sub) are configured on the JWT middleware itself, not on AuthorizationConfig. The defaults (scopes for the scopes claim, sub for the user id claim) match the tokens minted by the control plane.
For the full self-hosted setup including multi-issuer, see Self-Hosted.
Authorization
Every JWT carries a claim listing the caller’s permissions (scopes by default; configurable via scopes_claim if your provider uses a different name, like WorkOS’s permissions). Endpoints are gated on those scopes.
The AgentOS control plane mints each token with the appropriate scopes. Scopes are bundled into roles and assigned to users in the control plane: the AgentOS control plane provides three default roles (owner, admin, member), and custom roles are available on Enterprise. Self-hosters define roles in their identity provider or backend. See the scope reference for the full scope list, Default Roles for what each grants, and Custom Roles to compose your own.
Request isolation
Every request gets a fresh copy of the agent, team, or workflow it’s hitting. AgentOS callsdeep_copy() on the registered component per request, so mutable state (session-scoped variables, tool execution context, run metadata) never bleeds between concurrent calls.
Heavy resources (the DB connection, the model client, MCP tool handles) are shared by reference; only the mutable per-run state is isolated. You get cheap concurrency without the footgun of two requests racing on the same in-memory agent instance.
This is on by default for every run endpoint. There’s nothing to configure.
User isolation
Per-user data isolation is opt-in. Authorization stays in force without it, but routes operate on the unscoped DB. A caller withagents:my-agent:run could read another user’s sessions if they know the IDs. For multi-tenant deployments, turn it on:
user_isolation=True, every non-admin caller gets:
Admin callers (whoever holds the configured
admin_scope, defaulting to agent_os:admin) bypass all of the above and see the full unscoped view: service accounts, internal tooling, the control plane.
Per-user isolation requires a database that records user_id (PostgreSQL recommended for production).
Defaults
See the AuthorizationConfig reference for all configuration options and their defaults.