For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
GitHub
DocumentationREST API Reference
DocumentationREST API Reference
    • Getting Started
  • API Reference
    • Service Account
    • Infrastructure Provider
    • Tenant
    • Tenant Account
    • Site
    • Allocation
    • IP Block
    • VPC
    • VPC Peering
    • VPC Prefix
    • Subnet
    • Expected Machine
    • Expected Power Shelf
    • Expected Rack
    • Expected Switch
    • SKU
    • Infini Band Partition
    • Nv Link Logical Partition
    • Instance Type
    • Instance
    • Operating System
    • Machine
    • Rack
    • Task
    • Tray
    • Network Security Group
    • Dpu Extension Service
    • SSH Key Group
    • SSH Key
    • User
    • Metadata
    • Audit
    • Tenant Identity
      • GETRetrieve Tenant Identity Configuration for current Org
      • PUTCreate or Update Tenant Identity Configuration
      • DELDelete Tenant Identity Configuration
      • GETRetrieve Token Delegation for current Org
      • PUTCreate or Update Token Delegation
      • DELDelete Token Delegation
      • GETRetrieve OIDC JWKS for current Org
      • GETRetrieve OpenID Configuration for current Org
      • GETRetrieve SPIFFE JWKS for current Org
GitHub
NVIDIANVIDIA
Developer-friendly docs for your API
Privacy Policy | Your Privacy Choices | Terms of Service | Accessibility | Corporate Policies | Product Security | Contact

Copyright © 2026, NVIDIA Corporation.

LogoLogo
API Reference

Tenant Identity

||View as Markdown|

Tenant identity (JWT-SVID issuance) and RFC 8693 token delegation.

Tenant Admins use these endpoints to enable JWT-SVID issuance for an org on a specific site, rotate the signing key, configure a token exchange callback, and serve the public JWKS / OIDC discovery documents that verifiers (OpenBao, tenant APIs, etc.) consume.

The six management endpoints (PUT / GET / DELETE on tenant-identity/config and tenant-identity/token-delegation) require an authorization role with TENANT_ADMIN suffix in the URL {org}. The three .well-known/* endpoints are public; external verifiers can fetch public keys without credentials.

PUT is a full-replace upsert: every call must include all required fields, and omitted optional fields are cleared. To pause issuance without destroying signing keys, PUT with enabled: false; to destroy the signing keypair, use DELETE. Signing keys survive enabled: false and survive non-rotation upserts, so JWKS consumers and in-flight JWTs continue to verify across pauses and attribute changes.

JWKS verifiers should treat every key in the returned set as valid and match candidates by kid — during a key-rotation overlap window two keys are present until the previous key expires. The OIDC discovery endpoint’s id_token_signing_alg_values_supported is intentionally empty because NICo issues bearer access JWTs, not OIDC id_tokens. The three public endpoints return 404 Not Found when identity material cannot be served for this org/site (unknown site, org is not a tenant, no tenant allocation on the site, or no identity configuration); the two JWKS routes additionally return 502 Bad Gateway when the Core gRPC API responds with a body that is not a parseable JWK Set.

Previous

Retrieve Audit Log Entry

Next

Retrieve Tenant Identity Configuration for current Org