> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.nvidia.com/infra-controller/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/infra-controller/_mcp/server. # Create or Update Tenant Identity Configuration PUT https://nico-rest-api.nico.svc.cluster.local/v2/org/{org}/nico/site/{siteID}/tenant-identity/config Content-Type: application/json Create or update tenant identity (JWT-SVID) configuration for the org/site. User must have authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. On first call the Core gRPC API generates a new ES256 signing keypair; on subsequent calls the existing keypair is reused unless `rotateKey: true` is supplied. Returns `201 Created` on first call, `200 OK` on subsequent updates. See the Tenant Identity tag description for upsert semantics and the `enabled` vs DELETE distinction. Reference: https://docs.nvidia.com/infra-controller/infra-controller/rest-api-reference/api-reference/tenant-identity/create-or-update-tenant-identity-config ## OpenAPI Specification ```yaml openapi: 3.1.0 info: title: NVIDIA Infra Controller REST API version: 1.0.0 paths: /v2/org/{org}/nico/site/{siteID}/tenant-identity/config: put: operationId: create-or-update-tenant-identity-config summary: Create or Update Tenant Identity Configuration description: >- Create or update tenant identity (JWT-SVID) configuration for the org/site. User must have authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. On first call the Core gRPC API generates a new ES256 signing keypair; on subsequent calls the existing keypair is reused unless `rotateKey: true` is supplied. Returns `201 Created` on first call, `200 OK` on subsequent updates. See the Tenant Identity tag description for upsert semantics and the `enabled` vs DELETE distinction. tags: - subpackage_tenantIdentity parameters: - name: org in: path description: Name of the Org required: true schema: type: string - name: siteID in: path description: ID of the Site required: true schema: type: string format: uuid - name: Authorization in: header description: >- ``` export JWT_BEARER_TOKEN="" # Example org name: "acme-inc export ORG_NAME= # Use the JWT bearer token in your API request auth header: curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current ``` required: true schema: type: string responses: '200': description: Tenant identity configuration replaced/updated content: application/json: schema: $ref: '#/components/schemas/TenantIdentityConfig' '400': description: Error response when request data cannot be validated content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '403': description: >- Error response when user is not authorized to call an endpoint or retrieve/modify objects content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '404': description: Error response when requested object is not found content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '500': description: Response when the API handler encounters an unexpected error content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '503': description: |- Core gRPC API is unavailable, or site-level machine identity is disabled (`enabled=false` in site config), so the request cannot be served. content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' requestBody: content: application/json: schema: $ref: '#/components/schemas/TenantIdentityConfigCreateOrUpdateRequest' servers: - url: https://nico-rest-api.nico.svc.cluster.local description: Kubernetes Cluster components: schemas: TenantIdentityConfigCreateOrUpdateRequestWithoutKeyRotation: type: object properties: enabled: type: boolean default: true description: |- Optional. Set to `true` to enable JWT-SVID issuance for this org or `false` to keep the config but pause issuance. Defaults to `true` when omitted. issuer: type: string description: |- JWT `iss` claim / OIDC issuer. Required in the REST request body. The Core gRPC API (`Issuer::parse`) is authoritative for scheme and host rules and accepts `https://`, `http://`, or `spiffe://` URLs with a DNS host; malformed values are rejected with `400 Bad Request`. defaultAudience: type: string description: >- Default audience applied when a workload does not specify one. Required. allowedAudiences: type: array items: type: string default: [] description: |- Allowlist of audience strings that may appear in issued JWT-SVIDs. When **empty or omitted**, the Core gRPC API persists `[defaultAudience]` as the stored allowlist, so only the default audience can be issued -- empty is **not** "allow any". To accept additional audiences, provide a non-empty list; non-empty lists must include `defaultAudience`. A subsequent GET returns the persisted allowlist, which may differ from an empty list that was sent on PUT. tokenTtlSeconds: type: integer description: |- Issued-token TTL in seconds. Required in the REST request body and must be > 0. The Core gRPC API enforces its configured `[machine_identity].token_ttl_min_sec` / `token_ttl_max_sec` window and rejects values outside the window with `400 Bad Request`. The window is per-site, so REST does not advertise a fixed maximum here. subjectPrefix: type: string description: |- Optional SPIFFE ID URI prefix for JWT `sub` (RFC-shaped `spiffe://…`). When omitted, the Core gRPC API derives a prefix from the issuer's trust domain. rotateKey: type: boolean default: false description: |- Must be omitted or `false` for this variant. Switch to the "With key rotation" variant to force a fresh ES256 signing keypair and arm a JWKS overlap window. required: - issuer - defaultAudience - tokenTtlSeconds description: |- Standard create-or-update of the tenant identity config. Use this shape when **not** rotating the signing key. `signingKeyOverlapSeconds` is not used here -- it is only meaningful together with `rotateKey: true` and is rejected by the REST API in that combination. Switch to the "With key rotation" variant when you need to set it. title: TenantIdentityConfigCreateOrUpdateRequestWithoutKeyRotation TenantIdentityConfigCreateOrUpdateRequestWithKeyRotation: type: object properties: enabled: type: boolean default: true description: |- Optional. Set to `true` to enable JWT-SVID issuance for this org or `false` to keep the config but pause issuance. Defaults to `true` when omitted. issuer: type: string description: |- JWT `iss` claim / OIDC issuer. Required in the REST request body. The Core gRPC API (`Issuer::parse`) is authoritative for scheme and host rules and accepts `https://`, `http://`, or `spiffe://` URLs with a DNS host; malformed values are rejected with `400 Bad Request`. defaultAudience: type: string description: >- Default audience applied when a workload does not specify one. Required. allowedAudiences: type: array items: type: string default: [] description: |- Allowlist of audience strings that may appear in issued JWT-SVIDs. When **empty or omitted**, the Core gRPC API persists `[defaultAudience]` as the stored allowlist, so only the default audience can be issued -- empty is **not** "allow any". To accept additional audiences, provide a non-empty list; non-empty lists must include `defaultAudience`. A subsequent GET returns the persisted allowlist, which may differ from an empty list that was sent on PUT. tokenTtlSeconds: type: integer description: |- Issued-token TTL in seconds. Required in the REST request body and must be > 0. The Core gRPC API enforces its configured `[machine_identity].token_ttl_min_sec` / `token_ttl_max_sec` window and rejects values outside the window with `400 Bad Request`. The window is per-site, so REST does not advertise a fixed maximum here. subjectPrefix: type: string description: |- Optional SPIFFE ID URI prefix for JWT `sub` (RFC-shaped `spiffe://…`). When omitted, the Core gRPC API derives a prefix from the issuer's trust domain. rotateKey: type: boolean description: |- Must be `true` for this variant. Generates a fresh ES256 signing keypair into the other key slot, swaps the current signer, and arms a JWKS overlap window for the previous key. signingKeyOverlapSeconds: type: integer description: |- Required when `rotateKey` is `true`. Number of seconds the previous verification key remains in JWKS so that JWTs already signed with it stay verifiable until they expire. Must be `>= tokenTtlSeconds`. The Core gRPC API enforces an upper bound via its `[machine_identity].signing_key_overlap_max_sec` config; values above that bound are rejected with `400 Bad Request`. required: - issuer - defaultAudience - tokenTtlSeconds - rotateKey - signingKeyOverlapSeconds description: |- Create-or-update of the tenant identity config that also forces a signing-key rotation. Both `rotateKey: true` and `signingKeyOverlapSeconds` are required. title: TenantIdentityConfigCreateOrUpdateRequestWithKeyRotation TenantIdentityConfigCreateOrUpdateRequest: oneOf: - $ref: >- #/components/schemas/TenantIdentityConfigCreateOrUpdateRequestWithoutKeyRotation - $ref: >- #/components/schemas/TenantIdentityConfigCreateOrUpdateRequestWithKeyRotation description: |- Tenant identity configuration payload. `issuer`, `defaultAudience`, and `tokenTtlSeconds` are required. `enabled` is optional and defaults to `true` when omitted. The `org` identifier is taken from the URL path segment `{org}`. Two request shapes are supported, distinguished by whether the PUT also forces a signing-key rotation: 1. **Without key rotation** -- `rotateKey` is omitted or `false`; `signingKeyOverlapSeconds` must be omitted. 2. **With key rotation** -- `rotateKey: true` and `signingKeyOverlapSeconds` are both required; the Core gRPC API generates a fresh ES256 keypair into the other key slot, swaps the active signer, and arms a JWKS overlap window for the previous key. title: TenantIdentityConfigCreateOrUpdateRequest TenantIdentitySigningKey: type: object properties: kid: type: string description: Key identifier; matches the `kid` published in JWKS for this key. alg: type: string description: Signing algorithm, e.g. `ES256`. currentSigner: type: boolean description: |- True when this key is the active signer for new JWT-SVIDs. Exactly one entry per response is `true`. expireAt: type: - string - 'null' format: date-time description: |- Set on the inactive (previous) key during the JWKS overlap window; the Core gRPC API deletes the inactive slot once `now >= expireAt`. Null on the current signer. required: - kid - alg - currentSigner description: |- A single JWT-SVID signing key entry returned in `TenantIdentityConfig.signingKeys`. Multiple entries appear during a key-rotation overlap window; in steady state only the active signer is listed. title: TenantIdentitySigningKey TenantIdentityConfig: type: object properties: org: type: string description: Organization that owns the Tenant identity configuration enabled: type: boolean description: Whether Tenant identity token delegation is enabled issuer: type: string description: Issuer URL for Tenant identity tokens defaultAudience: type: string description: Default audience used for Tenant identity tokens allowedAudiences: type: array items: type: string description: |- Stored allowlist of audience strings. Always non-empty: when a PUT supplied an empty list, the Core gRPC API substituted `[defaultAudience]` before persisting. Issuance rejects audiences outside this list. tokenTtlSeconds: type: integer description: Lifetime of issued Tenant identity tokens, in seconds subjectPrefix: type: string description: |- SPIFFE ID prefix used in the JWT `sub` claim. When the PUT body omitted `subjectPrefix`, Core stored `spiffe://` here, so the value returned by GET may differ from what was submitted. signingKeys: type: array items: $ref: '#/components/schemas/TenantIdentitySigningKey' description: |- Per-org signing keys currently published in JWKS. Exactly one entry has `currentSigner: true`. During a rotation overlap window a second entry is present with `currentSigner: false` and a populated `expireAt`; once the overlap window elapses the Core gRPC API deletes the expired entry and only the current signer remains. created: type: string format: date-time description: Date/time when the Tenant identity configuration was created updated: type: string format: date-time description: Date/time when the Tenant identity configuration was last updated description: |- Current tenant identity configuration plus the per-org signing key metadata (`signingKeys`). During a JWKS overlap window two entries appear; under steady state only the active signer is listed. Use `signingKeys[].kid` (filtering by `currentSigner`) instead of the legacy single `keyId` field, which was removed with the key-rotation change in NICo-core. title: TenantIdentityConfig NiCoApiErrorSource: type: string enum: - nico description: Source of the error. title: NiCoApiErrorSource NiCoApiErrorData: type: object properties: {} description: Additional data about the error title: NiCoApiErrorData NICoAPIError: type: object properties: source: $ref: '#/components/schemas/NiCoApiErrorSource' description: Source of the error. message: type: string description: Message describing the error data: oneOf: - $ref: '#/components/schemas/NiCoApiErrorData' - type: 'null' description: Additional data about the error description: Describes the error response from NVIDIA Infra Controller REST API title: NICoAPIError securitySchemes: JWTBearerToken: type: http scheme: bearer description: >- ``` export JWT_BEARER_TOKEN="" # Example org name: "acme-inc export ORG_NAME= # Use the JWT bearer token in your API request auth header: curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current ``` ``` ## Examples ### Example 1 **Request** ```json { "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "tokenTtlSeconds": 3600 } ``` **Response** ```json { "org": "acme-corp", "enabled": true, "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "allowedAudiences": [ "acme-corp-services", "acme-corp-analytics", "acme-corp-mobile" ], "tokenTtlSeconds": 3600, "subjectPrefix": "spiffe://acme-corp.com/", "signingKeys": [ { "kid": "a1b2c3d4e5f6g7h8i9j0", "alg": "ES256", "currentSigner": true, "expireAt": "2024-07-15T09:30:00Z" } ], "created": "2024-01-15T09:30:00Z", "updated": "2024-06-10T14:45:00Z" } ``` **SDK Code** ```python import requests url = "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config" payload = { "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "tokenTtlSeconds": 3600 } headers = { "Authorization": "Bearer ", "Content-Type": "application/json" } response = requests.put(url, json=payload, headers=headers) print(response.json()) ``` ```javascript const url = 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config'; const options = { method: 'PUT', headers: {Authorization: 'Bearer ', 'Content-Type': 'application/json'}, body: '{"issuer":"https://auth.acme-corp.com","defaultAudience":"acme-corp-services","tokenTtlSeconds":3600}' }; try { const response = await fetch(url, options); const data = await response.json(); console.log(data); } catch (error) { console.error(error); } ``` ```go package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config" payload := strings.NewReader("{\n \"issuer\": \"https://auth.acme-corp.com\",\n \"defaultAudience\": \"acme-corp-services\",\n \"tokenTtlSeconds\": 3600\n}") req, _ := http.NewRequest("PUT", url, payload) req.Header.Add("Authorization", "Bearer ") req.Header.Add("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := io.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```ruby require 'uri' require 'net/http' url = URI("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true request = Net::HTTP::Put.new(url) request["Authorization"] = 'Bearer ' request["Content-Type"] = 'application/json' request.body = "{\n \"issuer\": \"https://auth.acme-corp.com\",\n \"defaultAudience\": \"acme-corp-services\",\n \"tokenTtlSeconds\": 3600\n}" response = http.request(request) puts response.read_body ``` ```java import com.mashape.unirest.http.HttpResponse; import com.mashape.unirest.http.Unirest; HttpResponse response = Unirest.put("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config") .header("Authorization", "Bearer ") .header("Content-Type", "application/json") .body("{\n \"issuer\": \"https://auth.acme-corp.com\",\n \"defaultAudience\": \"acme-corp-services\",\n \"tokenTtlSeconds\": 3600\n}") .asString(); ``` ```php request('PUT', 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config', [ 'body' => '{ "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "tokenTtlSeconds": 3600 }', 'headers' => [ 'Authorization' => 'Bearer ', 'Content-Type' => 'application/json', ], ]); echo $response->getBody(); ``` ```csharp using RestSharp; var client = new RestClient("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config"); var request = new RestRequest(Method.PUT); request.AddHeader("Authorization", "Bearer "); request.AddHeader("Content-Type", "application/json"); request.AddParameter("application/json", "{\n \"issuer\": \"https://auth.acme-corp.com\",\n \"defaultAudience\": \"acme-corp-services\",\n \"tokenTtlSeconds\": 3600\n}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```swift import Foundation let headers = [ "Authorization": "Bearer ", "Content-Type": "application/json" ] let parameters = [ "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "tokenTtlSeconds": 3600 ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PUT" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error as Any) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ``` ### Example 2 **Request** ```json { "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "tokenTtlSeconds": 3600 } ``` **Response** ```json { "org": "acme-corp", "enabled": true, "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "allowedAudiences": [ "acme-corp-services", "acme-corp-analytics", "acme-corp-mobile" ], "tokenTtlSeconds": 3600, "subjectPrefix": "spiffe://acme-corp.com/", "signingKeys": [ { "kid": "a1b2c3d4e5f6g7h8i9j0", "alg": "ES256", "currentSigner": true, "expireAt": "2024-07-15T09:30:00Z" } ], "created": "2024-01-15T09:30:00Z", "updated": "2024-06-10T14:45:00Z" } ``` **SDK Code** ```python import requests url = "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config" payload = { "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "tokenTtlSeconds": 3600 } headers = { "Authorization": "Bearer ", "Content-Type": "application/json" } response = requests.put(url, json=payload, headers=headers) print(response.json()) ``` ```javascript const url = 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config'; const options = { method: 'PUT', headers: {Authorization: 'Bearer ', 'Content-Type': 'application/json'}, body: '{"issuer":"https://auth.acme-corp.com","defaultAudience":"acme-corp-services","tokenTtlSeconds":3600}' }; try { const response = await fetch(url, options); const data = await response.json(); console.log(data); } catch (error) { console.error(error); } ``` ```go package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config" payload := strings.NewReader("{\n \"issuer\": \"https://auth.acme-corp.com\",\n \"defaultAudience\": \"acme-corp-services\",\n \"tokenTtlSeconds\": 3600\n}") req, _ := http.NewRequest("PUT", url, payload) req.Header.Add("Authorization", "Bearer ") req.Header.Add("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := io.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```ruby require 'uri' require 'net/http' url = URI("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true request = Net::HTTP::Put.new(url) request["Authorization"] = 'Bearer ' request["Content-Type"] = 'application/json' request.body = "{\n \"issuer\": \"https://auth.acme-corp.com\",\n \"defaultAudience\": \"acme-corp-services\",\n \"tokenTtlSeconds\": 3600\n}" response = http.request(request) puts response.read_body ``` ```java import com.mashape.unirest.http.HttpResponse; import com.mashape.unirest.http.Unirest; HttpResponse response = Unirest.put("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config") .header("Authorization", "Bearer ") .header("Content-Type", "application/json") .body("{\n \"issuer\": \"https://auth.acme-corp.com\",\n \"defaultAudience\": \"acme-corp-services\",\n \"tokenTtlSeconds\": 3600\n}") .asString(); ``` ```php request('PUT', 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config', [ 'body' => '{ "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "tokenTtlSeconds": 3600 }', 'headers' => [ 'Authorization' => 'Bearer ', 'Content-Type' => 'application/json', ], ]); echo $response->getBody(); ``` ```csharp using RestSharp; var client = new RestClient("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config"); var request = new RestRequest(Method.PUT); request.AddHeader("Authorization", "Bearer "); request.AddHeader("Content-Type", "application/json"); request.AddParameter("application/json", "{\n \"issuer\": \"https://auth.acme-corp.com\",\n \"defaultAudience\": \"acme-corp-services\",\n \"tokenTtlSeconds\": 3600\n}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```swift import Foundation let headers = [ "Authorization": "Bearer ", "Content-Type": "application/json" ] let parameters = [ "issuer": "https://auth.acme-corp.com", "defaultAudience": "acme-corp-services", "tokenTtlSeconds": 3600 ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PUT" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error as Any) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```