SSO (OIDC + SAML)
Verify OIDC ID tokens and SAML assertions to map an inbound request to a tenant. Pure, dependency-free, WebCrypto-only.
@agentskit/core/security ships two helpers for plugging an enterprise IdP (Okta, Auth0, Azure AD, Keycloak, Cognito) into a runtime so each request resolves to a tenant.
Pure, dependency-free. Signature verification uses WebCrypto (crypto.subtle) β Node 18+, every modern browser, every edge runtime.
#OIDC ID tokens (RS256 / ES256)
import { createOidcVerifier } from '@agentskit/core/security'
const verifier = createOidcVerifier({
issuer: 'https://example.okta.com',
audience: 'agentskit-api',
// jwksUrl defaults to `${issuer}/.well-known/jwks.json`
// jwksTtlMs defaults to 1h, clockSkewSeconds to 30
})
const claims = await verifier.verify(bearerToken)
// claims.sub, claims.iss, claims.aud, claims.exp, plus any tenant claimUse the IdP-specific tenant claim (tid, org_id, tenant) to scope downstream cost-guard, rate-limit, and audit-log lookups.
If the IdP rotates a key out-of-band, call verifier.refreshJwks() to bypass the cache.
#SAML assertions
SAML requires an XML / XML-DSig validator β bring your own. The helper provides a typed contract for the parsed assertion shape so the rest of the pipeline can stay generic.
import { createSamlVerifier } from '@agentskit/core/security'
const verifier = createSamlVerifier({
validator: async (xml) => myXmlDsigValidator(xml),
})
const assertion = await verifier.verify(samlResponseXml)
// assertion.subject, assertion.attributes (typed bag)#Related
- Audit log
- Cost guard β pair with the tenant claim
- Rate limiting
Explore nearby
- PeerSecurity
Six primitives for production agents: PII redaction, injection detection, rate limiting, audit log, sandbox enforcement, and HITL approvals.
- PeerPII redaction
Strip emails, phones, SSNs, and API keys from messages before they reach the model or get written to logs.
- PeerPrompt injection
Detect instruction-hijacking patterns in user input, tool results, and RAG chunks before they reach the model.