Create or Update Token Delegation

PUT

https://nico-rest-api.nico.svc.cluster.local/v2/org/:org/nico/site/:siteID/tenant-identity/token-delegation

Register an RFC 8693 token exchange callback for the tenant. When configured, the Core gRPC API issues a short-lived intermediate JWT-SVID to the tenant’s exchange server instead of signing workload tokens directly.

User must have authorization role with TENANT_ADMIN suffix in the URL {org}.

Requires a pre-existing /tenant-identity/config on this org/site (returns 404 otherwise). Because PUT is full-replace, omitting clientSecretBasic on an update clears any stored credentials and switches the org back to no-auth; re-supply clientId / clientSecret on every PUT to keep basic auth (the raw secret is never returned by GET). Returns 201 Created on first call, 200 OK on subsequent updates.

Register an RFC 8693 token exchange callback for the tenant. When configured, the Core gRPC API issues a short-lived intermediate JWT-SVID to the tenant's exchange server instead of signing workload tokens directly. User must have authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. Requires a pre-existing `/tenant-identity/config` on this org/site (returns `404` otherwise). Because PUT is full-replace, omitting `clientSecretBasic` on an update clears any stored credentials and switches the org back to no-auth; re-supply `clientId` / `clientSecret` on every PUT to keep basic auth (the raw secret is never returned by GET). Returns `201 Created` on first call, `200 OK` on subsequent updates.

Authentication

AuthorizationBearer

export JWT_BEARER_TOKEN="<jwt-bearer-token>"
# Example org name: "acme-inc
export ORG_NAME=<org-name>
# Use the JWT bearer token in your API request auth header:
curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current

``` export JWT_BEARER_TOKEN="<jwt-bearer-token>" # Example org name: "acme-inc export ORG_NAME=<org-name> # Use the JWT bearer token in your API request auth header: curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current ```

Path parameters

orgstringRequired

Name of the Org

siteIDstringRequiredformat: "uuid"

ID of the Site

Request

This endpoint expects an object.

tokenEndpointstringRequiredformat: "uri"

URL of the tenant’s RFC 8693 token exchange endpoint. The Core gRPC API validates scheme and host against its configured [machine_identity].token_endpoint_domain_allowlist and rejects mismatches with 400 Bad Request. Operators that need to enforce HTTPS-only must populate that allowlist.

subjectTokenAudiencestringRequired

Audience value placed on the intermediate JWT-SVID posted to the exchange endpoint.

clientSecretBasicobjectOptional

Raw OAuth2 client_secret_basic credentials. clientSecret is accepted on input but never returned in responses.

Response

Token delegation replaced/updated

tokenEndpointstringformat: "uri"

clientSecretBasicobject

Public half of client_secret_basic credentials. Only the SHA-256 hash of the secret is returned.

subjectTokenAudiencestring

createddatetime

updateddatetime

Errors

400

Bad Request Error

403

Forbidden Error

404

Not Found Error

500

Internal Server Error

503

Service Unavailable Error

$	curl -X PUT https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation \
>	-H "Authorization: Bearer <token>" \
>	-H "Content-Type: application/json" \
>	-d '{
>	"tokenEndpoint": "https://auth.acme-inc.com/oauth2/token",
>	"subjectTokenAudience": "api.acme-inc.com"
>	}'

1	{
2	"tokenEndpoint": "https://auth.acme-inc.com/oauth2/token",
3	"clientSecretBasic": {
4	"clientId": "acme-client-123",
5	"clientSecretHash": "sha256:3a7bd3e2360a3d5f8e4b7c9a1f2d4e5b6c7d8e9f0a1b2c3d4e5f678901234567"
6	},
7	"subjectTokenAudience": "api.acme-inc.com",
8	"created": "2024-01-15T09:30:00Z",
9	"updated": "2024-01-15T09:30:00Z"
10	}