> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.nvidia.com/infra-controller/llms.txt. > For full documentation content, see https://docs.nvidia.com/infra-controller/llms-full.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/infra-controller/_mcp/server. # Tenant Identity Tenant identity (JWT-SVID issuance) and RFC 8693 token delegation. Tenant Admins use these endpoints to enable JWT-SVID issuance for an org on a specific site, rotate the signing key, configure a token exchange callback, and serve the public JWKS / OIDC discovery documents that verifiers (OpenBao, tenant APIs, etc.) consume. The six management endpoints (PUT / GET / DELETE on `tenant-identity/config` and `tenant-identity/token-delegation`) require an authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. The three `.well-known/*` endpoints are public; external verifiers can fetch public keys without credentials. PUT is a full-replace upsert: every call must include all required fields, and omitted optional fields are cleared. To pause issuance without destroying signing keys, PUT with `enabled: false`; to destroy the signing keypair, use DELETE. Signing keys survive `enabled: false` and survive non-rotation upserts, so JWKS consumers and in-flight JWTs continue to verify across pauses and attribute changes. JWKS verifiers should treat every key in the returned set as valid and match candidates by `kid` — during a key-rotation overlap window two keys are present until the previous key expires. The OIDC discovery endpoint's `id_token_signing_alg_values_supported` is intentionally empty because NICo issues bearer access JWTs, not OIDC `id_token`s. The three public endpoints return `404 Not Found` when identity material cannot be served for this org/site (unknown site, org is not a tenant, no tenant allocation on the site, or no identity configuration); the two JWKS routes additionally return `502 Bad Gateway` when the Core gRPC API responds with a body that is not a parseable JWK Set.