Skip to main content
Copy page
Version: Next

Secure Agent Endpoints with OAuth

OAuth security protects platform-hosted API agent endpoints at the gateway. When enabled, callers must send a valid JWT, by default in the Authorization: Bearer <token> header. The gateway validates the token against the identity providers you select for the agent.

OAuth and API key security are mutually exclusive — an agent uses one or the other, not both.

Prerequisites​

Step 1: Enable OAuth During Deployment​

  1. Open the AMP Console and select your project.
  2. Open the API agent you want to secure.
  3. Click Deploy, then Configure & Deploy.
  4. In the deploy drawer, under Endpoint Authentication, select OAuth.

Step 2: Configure OAuth​

  1. Identity Providers (required) — select one or more providers whose tokens the gateway should accept for this agent.
  2. Audiences (optional) — add accepted token audiences (the aud claim). Leave empty to disable audience validation.
  3. Header name and Auth header prefix — the defaults are Authorization and Bearer. Change them only if your callers send the token differently.
  4. Forward token to upstream — when on, the validated token header is forwarded to the agent service so it can inspect the token. Turn it off to strip the header before proxying.

Step 3: Deploy​

Deploy the agent to apply the policy.

note

If you change the authentication setting later, redeploy the agent so the gateway policy is updated.

Step 4: Invoke the Agent with a Token​

Send the token in the configured header when calling the deployed agent endpoint:

curl -X POST "<agent-invoke-url>" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <token>" \
  -d '<request-body>'

Replace <agent-invoke-url>, <token>, and <request-body> with the values for your agent. Obtain the token from one of the agent's configured identity providers.

Testing from the Console​

note

The agent Test page is unavailable while OAuth is enabled, because the console cannot mint a token for you. Test the endpoint out-of-band with a valid token, as shown in Step 4.

When OAuth is enabled, the agent's API Keys page also shows as disabled, since OAuth and API key security cannot be active at the same time.

Notes​

  • OAuth security applies to platform-hosted API agents.
  • Accepted issuers and audiences come from the identity providers configured on the gateway.
  • An agent uses one authentication method at a time — OAuth or API key, not both.