AI Agent Public Keys

The AI Agent Public Keys API provides a set of operations to manage public JSON Web Key (JWK) credentials that are used for AI agents. See AI agents.

A JWK is a JSON representation of a cryptographic key. Okta uses signing keys to verify the signature of a JWT when provided for the private_key_jwt client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys for signing tokens.

List all AI agent JSON Web Keys
Beta
OAuth 2.0 scopes:
  • okta.aiAgents.read
Admin roles:
  • SUPER_ADMIN

Lists all JSON Web Keys (JWK) for an AI agent

Request
path Parameters
agentId
required
string

ID of the AI agent

Example: wlpcFogtKCrK9aYq3fgV
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

get/workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks
Request samples 
Response samples 
application/json
{}
Add a JSON Web Key
Beta
OAuth 2.0 scopes: 
  • okta.aiAgents.manage
Admin roles: 
  • SUPER_ADMIN
Adds a new JSON Web Key (JWK) to the AI agent's JWK Set (JWKS)


Request 
path Parameters
agentId
required
string
ID of the AI agent


 
 Example:  wlpcFogtKCrK9aYq3fgV
Request Body schema: application/json
required
kty
required
string
Cryptographic algorithm family for the certificate's key pair


 
e
string
The public exponent of the RSA key, represented as a Base64URL-encoded string.


This value is used in combination with the modulus (n) to verify signatures and encrypt data.


 
n
string
The modulus of the RSA public key, represented as a Base64URL-encoded string.


This is the primary component of the RSA key and, with the exponent (e), is used for cryptographic signature verification and encryption.


 
kid
string
Unique identifier of the JSON Web Key in the AI agent's JSON Web Key Set (JWKS)


 
status
string
 Default:  "ACTIVE"
Status of the AI agent JSON Web Key


 Enum: "ACTIVE" "INACTIVE"  
alg
string
Algorithm that's used in the JSON Web Key


 
use
string
Acceptable use of the JSON Web Key


You can only use signing keys for AI agents, so the value of use is always sig.


 Value: "sig"  
Responses 
201
Created


400
Bad Request


401
Unauthorized


403
Forbidden


429
Too Many Requests


post/workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks
Request samples 
application/json
{
  • "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
  • "kty": "RSA",
  • "alg": "RS256",
  • "use": "sig",
  • "e": "AQAB",
  • "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
  • "status": "ACTIVE"
}
Response samples 
application/json
{}
Retrieve an AI agent JSON Web Key
Beta
OAuth 2.0 scopes: 
  • okta.aiAgents.read
Admin roles: 
  • SUPER_ADMIN
Retrieves an AI agent's JSON Web Key by keyId


Request 
path Parameters
agentId
required
string
ID of the AI agent


 
 Example:  wlpcFogtKCrK9aYq3fgV
keyId
required
string
Unique id of the AI agent JSON Web Key


 
 Example:  pks2f4zrZbs8nUa7p0g4
Responses 
200
OK


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


get/workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks/{keyId}
Request samples 
Response samples 
application/json
{}
Delete an AI agent JSON Web Key
Beta
OAuth 2.0 scopes: 
  • okta.aiAgents.manage
Admin roles: 
  • SUPER_ADMIN
Deletes an AI agent's JSON Web Key by keyId. You can only delete an inactive key.


Request 
path Parameters
agentId
required
string
ID of the AI agent


 
 Example:  wlpcFogtKCrK9aYq3fgV
keyId
required
string
Unique id of the AI agent JSON Web Key


 
 Example:  pks2f4zrZbs8nUa7p0g4
Responses 
204
No Content


400
Bad Request


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


delete/workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks/{keyId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000001",
  • "errorSummary": "Api validation failed: JsonWebKey",
  • "errorLink": "E0000001",
  • "errorId": "sampleQPivGUj_ND5v78vbYWW",
  • "errorCauses": [
    • {
      }
    ]
}
Activate an AI agent JSON Web Key
Beta
OAuth 2.0 scopes: 
  • okta.aiAgents.manage
Admin roles: 
  • SUPER_ADMIN
Activates an AI agent's JSON Web Key by keyId




Note: You can only have one active encryption key at any given time for an AI agent. When you activate an inactive key, the currently active key is automatically deactivated.




Request 
path Parameters
agentId
required
string
ID of the AI agent


 
 Example:  wlpcFogtKCrK9aYq3fgV
keyId
required
string
Unique id of the AI agent JSON Web Key


 
 Example:  pks2f4zrZbs8nUa7p0g4
Responses 
200
OK


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


post/workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks/{keyId}/lifecycle/activate
Request samples 
Response samples 
application/json
{}
Deactivate an AI agent JSON Web Key
Beta
OAuth 2.0 scopes: 
  • okta.aiAgents.manage
Admin roles: 
  • SUPER_ADMIN
Deactivates an AI agent's JSON Web Key by keyId




Note: You can only deactivate signing keys. You can't deactivate the active encryption key if the client has ID token encryption enabled. However, you can activate another encryption key, which makes the current key inactive.




Request 
path Parameters
agentId
required
string
ID of the AI agent


 
 Example:  wlpcFogtKCrK9aYq3fgV
keyId
required
string
Unique id of the AI agent JSON Web Key


 
 Example:  pks2f4zrZbs8nUa7p0g4
Responses 
200
OK


400
Bad Request


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


post/workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks/{keyId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{}