# Configure Identity Providers

Identity providers are the token issuers your gateway trusts. When an agent endpoint is secured with [OAuth](/agent-manager/docs/v0.17.x/tutorials/secure-agent-endpoints-with-oauth/.md), the gateway validates incoming JWTs against the identity providers configured on it. Each agent then chooses which of those providers it accepts.

Identity providers are **owned by the gateway**, not by Agent Manager. You manage them from the **Identity Providers** card on a gateway's detail page in the console, which renders a command you run against your cluster. The command updates the gateway's runtime configuration and then syncs Agent Manager's records.

An identity provider is any external issuer you add, such as an Auth0 tenant or Microsoft Entra ID.

## Prerequisites[​](#prerequisites "Direct link to Prerequisites")

* A registered gateway in the environment you want to secure.
* Terminal access to your cluster with `kubectl`, `helm`, and `jq` configured. For the quickstart, run the command inside the dev container shell.

## Step 1: Open the Gateway's Identity Providers[​](#step-1-open-the-gateways-identity-providers "Direct link to Step 1: Open the Gateway's Identity Providers")

1. Open the AMP Console.
2. In the left sidebar, under **INFRASTRUCTURE**, click **Gateways**, then open the gateway you want to secure.
3. On the gateway's detail page, find the **Identity Providers** card.

The card shows the identity providers configured on this gateway, with its type, issuer, and environment.

## Step 2: Add an Identity Provider[​](#step-2-add-an-identity-provider "Direct link to Step 2: Add an Identity Provider")

1. In the **Identity Providers** card, click **Add Identity Provider**.

2. The **Gateway** is already selected. Choose the **Environment** the provider belongs to (it is selected automatically when the gateway maps to a single environment).

3. Enter a **Name**. Agents reference the provider by this name, so choose something stable and descriptive, such as `Auth0` or `EntraID`.

4. Provide the issuer details, either way:

   <!-- -->

   * **Discover from URL** — paste the provider's OpenID configuration URL (for example, `https://your-tenant.us.idp.com/.well-known/openid-configuration`) and click **Fetch**. The **Issuer** and **JWKS URI** fields are filled in for you.
   * **Manual entry** — type the **Issuer** (the expected `iss` claim value) and the **JWKS URI** directly.

Skip TLS verification

Enable **Skip TLS verification when fetching JWKS** only for trusted internal issuers whose certificates the gateway cannot validate. Leave it off for public providers.

## Step 3: Run the Rendered Command[​](#step-3-run-the-rendered-command "Direct link to Step 3: Run the Rendered Command")

The dialog renders a `curl ... | bash` command. Copy it and run it in a terminal where `kubectl`, `helm`, and `jq` are configured against your cluster. Your access token is substituted into the command when you copy it.

Behind the scenes the command:

1. Patches the gateway's runtime configuration (the `keymanagers` array in its ConfigMap) with the new issuer and JWKS URI.
2. Runs `helm upgrade` on the gateway release to apply the change.
3. Syncs Agent Manager's record of the provider.
4. Waits for the gateway to finish reprogramming.

The command is idempotent — it is safe to re-run. Once it completes, the new provider appears in the gateway's **Identity Providers** card and becomes selectable when securing an agent with OAuth.

## Step 4: Remove an Identity Provider[​](#step-4-remove-an-identity-provider "Direct link to Step 4: Remove an Identity Provider")

1. In the **Identity Providers** card, hover the provider you want to delete and click the remove icon to open the **Remove Identity Provider** dialog.
2. Copy the rendered command (it includes `ACTION=delete`) and run it the same way as in Step 3.

Always use the rendered command

Manage identity providers only through the command the console renders. The `PUT`/`DELETE /orgs/{org}/gateways/{id}/identity-providers/{name}` API endpoints update only Agent Manager's record of the gateway's providers — they do **not** change the gateway runtime. If you call them directly, Agent Manager and the gateway can drift apart: an agent may appear to deploy successfully while the gateway rejects every token at runtime.

## Notes[​](#notes "Direct link to Notes")

* Agents reference an identity provider by its **name**, not its issuer URL.
* A provider name is unique within a gateway.
* After adding a provider, secure an agent with it by following [Secure Agent Endpoints with OAuth](/agent-manager/docs/v0.17.x/tutorials/secure-agent-endpoints-with-oauth/.md).
