# Secure Agent Endpoints with OAuth

OAuth security protects platform-hosted API agent endpoints at the gateway. When enabled, callers must send a valid JWT, by default in the `Authorization: Bearer <token>` header. The gateway validates the token against the [identity providers](/agent-manager/docs/next/administration/configure-identity-providers/.md) you select for the agent.

OAuth and [API key security](/agent-manager/docs/next/tutorials/secure-agent-endpoints-with-api-keys/.md) are mutually exclusive — an agent uses one or the other, not both.

## Prerequisites[​](#prerequisites "Direct link to Prerequisites")

* A platform-hosted API agent created in a project.
* At least one [identity provider configured](/agent-manager/docs/next/administration/configure-identity-providers/.md) on the environment's gateway.

## Step 1: Enable OAuth During Deployment[​](#step-1-enable-oauth-during-deployment "Direct link to Step 1: Enable OAuth During Deployment")

1. Open the AMP Console and select your project.
2. Open the API agent you want to secure.
3. Click **Deploy**, then **Configure & Deploy**.
4. In the deploy drawer, under **Endpoint Authentication**, select **OAuth**.

## Step 2: Configure OAuth[​](#step-2-configure-oauth "Direct link to Step 2: Configure OAuth")

1. **Identity Providers** (required) — select one or more providers whose tokens the gateway should accept for this agent.
2. **Audiences** (optional) — add accepted token audiences (the `aud` claim). Leave empty to disable audience validation.
3. **Header name** and **Auth header prefix** — the defaults are `Authorization` and `Bearer`. Change them only if your callers send the token differently.
4. **Forward token to upstream** — when on, the validated token header is forwarded to the agent service so it can inspect the token. Turn it off to strip the header before proxying.

## Step 3: Deploy[​](#step-3-deploy "Direct link to Step 3: Deploy")

Deploy the agent to apply the policy.

note

If you change the authentication setting later, redeploy the agent so the gateway policy is updated.

## Step 4: Invoke the Agent with a Token[​](#step-4-invoke-the-agent-with-a-token "Direct link to Step 4: Invoke the Agent with a Token")

Send the token in the configured header when calling the deployed agent endpoint:

```
curl -X POST "<agent-invoke-url>" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <token>" \
  -d '<request-body>'
```

Replace `<agent-invoke-url>`, `<token>`, and `<request-body>` with the values for your agent. Obtain the token from one of the agent's configured identity providers.

## Testing from the Console[​](#testing-from-the-console "Direct link to Testing from the Console")

note

The agent **Test** page is unavailable while OAuth is enabled, because the console cannot mint a token for you. Test the endpoint out-of-band with a valid token, as shown in Step 4.

When OAuth is enabled, the agent's **API Keys** page also shows as disabled, since OAuth and API key security cannot be active at the same time.

## Notes[​](#notes "Direct link to Notes")

* OAuth security applies to platform-hosted API agents.
* Accepted issuers and audiences come from the [identity providers configured on the gateway](/agent-manager/docs/next/administration/configure-identity-providers/.md).
* An agent uses one authentication method at a time — OAuth or API key, not both.