# Configure Identity Providers Identity providers are the token issuers your gateway trusts. When an agent endpoint is secured with [OAuth](/agent-manager/docs/next/tutorials/secure-agent-endpoints-with-oauth/.md), the gateway validates incoming JWTs against the identity providers configured on it. Each agent then chooses which of those providers it accepts. Identity providers are **owned by the gateway**, not by Agent Manager. You manage them from the **Identity Providers** card on a gateway's detail page in the console, which renders a command you run against your cluster. The command updates the gateway's runtime configuration and then syncs Agent Manager's records. There are two types of identity provider: * **System** — bundled with the platform (for example, `ThunderKeyManager`, the WSO2 Thunder IDP). System providers cannot be removed. * **Custom** — any external issuer you add (for example, an Auth0 tenant or Microsoft Entra ID). ## Prerequisites[​](#prerequisites "Direct link to Prerequisites") * A registered gateway in the environment you want to secure. * Terminal access to your cluster with `kubectl`, `helm`, and `jq` configured. For the quickstart, run the command inside the dev container shell. ## Step 1: Open the Gateway's Identity Providers[​](#step-1-open-the-gateways-identity-providers "Direct link to Step 1: Open the Gateway's Identity Providers") 1. Open the AMP Console. 2. In the left sidebar, under **INFRASTRUCTURE**, click **Gateways**, then open the gateway you want to secure. 3. On the gateway's detail page, find the **Identity Providers** card. The card shows the identity providers configured on this gateway, with its type, issuer, and environment. ## Step 2: Add an Identity Provider[​](#step-2-add-an-identity-provider "Direct link to Step 2: Add an Identity Provider") 1. In the **Identity Providers** card, click **Add Identity Provider**. 2. The **Gateway** is already selected. Choose the **Environment** the provider belongs to (it is selected automatically when the gateway maps to a single environment). 3. Enter a **Name**. Agents reference the provider by this name, so choose something stable and descriptive, such as `Auth0` or `EntraID`. 4. Provide the issuer details, either way: * **Discover from URL** — paste the provider's OpenID configuration URL (for example, `https://your-tenant.us.idp.com/.well-known/openid-configuration`) and click **Fetch**. The **Issuer** and **JWKS URI** fields are filled in for you. * **Manual entry** — type the **Issuer** (the expected `iss` claim value) and the **JWKS URI** directly. Skip TLS verification Enable **Skip TLS verification when fetching JWKS** only for trusted internal issuers whose certificates the gateway cannot validate. Leave it off for public providers. ## Step 3: Run the Rendered Command[​](#step-3-run-the-rendered-command "Direct link to Step 3: Run the Rendered Command") The dialog renders a `curl ... | bash` command. Copy it and run it in a terminal where `kubectl`, `helm`, and `jq` are configured against your cluster. Your access token is substituted into the command when you copy it. Behind the scenes the command: 1. Patches the gateway's runtime configuration (the `keymanagers` array in its ConfigMap) with the new issuer and JWKS URI. 2. Runs `helm upgrade` on the gateway release to apply the change. 3. Syncs Agent Manager's record of the provider. 4. Waits for the gateway to finish reprogramming. The command is idempotent — it is safe to re-run. Once it completes, the new provider appears in the gateway's **Identity Providers** card and becomes selectable when securing an agent with OAuth. ## Step 4: Remove an Identity Provider[​](#step-4-remove-an-identity-provider "Direct link to Step 4: Remove an Identity Provider") 1. In the **Identity Providers** card, hover the provider you want to delete and click the remove icon to open the **Remove Identity Provider** dialog. 2. Copy the rendered command (it includes `ACTION=delete`) and run it the same way as in Step 3. System providers such as `ThunderKeyManager` cannot be removed. Always use the rendered command Manage identity providers only through the command the console renders. The `PUT`/`DELETE /orgs/{org}/gateways/{id}/identity-providers/{name}` API endpoints update only Agent Manager's record of the gateway's providers — they do **not** change the gateway runtime. If you call them directly, Agent Manager and the gateway can drift apart: an agent may appear to deploy successfully while the gateway rejects every token at runtime. ## Notes[​](#notes "Direct link to Notes") * Agents reference an identity provider by its **name**, not its issuer URL. * A provider name is unique within a gateway. * `ThunderKeyManager` is the bundled default identity provider. * After adding a provider, secure an agent with it by following [Secure Agent Endpoints with OAuth](/agent-manager/docs/next/tutorials/secure-agent-endpoints-with-oauth/.md).