ai-agencee logoai-agencee
Get started
auth

enterprise

RBAC & OIDC Auth

Role-based access control with RS256/ES256 JWT validation and per-principal rate limiting.

Overview

The SSE server validates `Authorization: Bearer <jwt>` tokens on every connection. Each token carries a `principal` claim that is used for per-principal rate limiting, cost attribution, and audit logging.

Configuration

# Set JWKS endpoint for RS256/ES256 validation
OIDC_JWKS_URI=https://auth.example.com/.well-known/jwks.json
OIDC_ISSUER=https://auth.example.com
OIDC_AUDIENCE=ai-agencee

# Or use symmetric HS256 (dev/test only — use a long random string)
JWT_SECRET=<your-long-random-secret>

GDPR CLI

# Export all data for a principal
ai-kit data:export --principal user@example.com

# Delete all data for a tenant
ai-kit data:delete --tenant acme-corp

# List all tenants
ai-kit data:list-tenants

Related topics

documentAudit Logging

Hash-chained tamper-proof audit logs — every agent action recorded for compliance.

Read docs →