> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.nvidia.com/infra-controller/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/infra-controller/_mcp/server. # Create or Update Token Delegation PUT https://nico-rest-api.nico.svc.cluster.local/v2/org/{org}/nico/site/{siteID}/tenant-identity/token-delegation Content-Type: application/json Register an RFC 8693 token exchange callback for the tenant. When configured, the Core gRPC API issues a short-lived intermediate JWT-SVID to the tenant's exchange server instead of signing workload tokens directly. User must have authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. Requires a pre-existing `/tenant-identity/config` on this org/site (returns `404` otherwise). Because PUT is full-replace, omitting `clientSecretBasic` on an update clears any stored credentials and switches the org back to no-auth; re-supply `clientId` / `clientSecret` on every PUT to keep basic auth (the raw secret is never returned by GET). Returns `201 Created` on first call, `200 OK` on subsequent updates. Reference: https://docs.nvidia.com/infra-controller/infra-controller/rest-api-reference/api-reference/tenant-identity/create-or-update-tenant-identity-token-delegation ## OpenAPI Specification ```yaml openapi: 3.1.0 info: title: NVIDIA Infra Controller REST API version: 1.0.0 paths: /v2/org/{org}/nico/site/{siteID}/tenant-identity/token-delegation: put: operationId: create-or-update-tenant-identity-token-delegation summary: Create or Update Token Delegation description: >- Register an RFC 8693 token exchange callback for the tenant. When configured, the Core gRPC API issues a short-lived intermediate JWT-SVID to the tenant's exchange server instead of signing workload tokens directly. User must have authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. Requires a pre-existing `/tenant-identity/config` on this org/site (returns `404` otherwise). Because PUT is full-replace, omitting `clientSecretBasic` on an update clears any stored credentials and switches the org back to no-auth; re-supply `clientId` / `clientSecret` on every PUT to keep basic auth (the raw secret is never returned by GET). Returns `201 Created` on first call, `200 OK` on subsequent updates. tags: - subpackage_tenantIdentity parameters: - name: org in: path description: Name of the Org required: true schema: type: string - name: siteID in: path description: ID of the Site required: true schema: type: string format: uuid - name: Authorization in: header description: >- ``` export JWT_BEARER_TOKEN="" # Example org name: "acme-inc export ORG_NAME= # Use the JWT bearer token in your API request auth header: curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current ``` required: true schema: type: string responses: '200': description: Token delegation replaced/updated content: application/json: schema: $ref: '#/components/schemas/TenantIdentityTokenDelegation' '400': description: Error response when request data cannot be validated content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '403': description: >- Error response when user is not authorized to call an endpoint or retrieve/modify objects content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '404': description: Error response when requested object is not found content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '500': description: Response when the API handler encounters an unexpected error content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '503': description: |- Core gRPC API is unavailable, or site-level machine identity is disabled (`enabled=false` in site config), so the request cannot be served. content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' requestBody: content: application/json: schema: $ref: >- #/components/schemas/TenantIdentityTokenDelegationCreateOrUpdateRequest servers: - url: https://nico-rest-api.nico.svc.cluster.local description: Kubernetes Cluster components: schemas: TenantIdentityBasicClientSecretRequest: type: object properties: clientId: type: string description: Client identifier used for basic client-secret authentication clientSecret: type: string description: >- Raw OAuth2 client secret. Transmitted over TLS to the Core gRPC API, which encrypts it at rest in its database using a per-site key. Never echoed in responses; subsequent reads return only a `sha256:` hash prefix in `clientSecretHash`. required: - clientId - clientSecret description: >- Raw OAuth2 `client_secret_basic` credentials. `clientSecret` is accepted on input but never returned in responses. title: TenantIdentityBasicClientSecretRequest TenantIdentityTokenDelegationCreateOrUpdateRequest: type: object properties: tokenEndpoint: type: string format: uri description: |- URL of the tenant's RFC 8693 token exchange endpoint. The Core gRPC API validates scheme and host against its configured `[machine_identity].token_endpoint_domain_allowlist` and rejects mismatches with `400 Bad Request`. Operators that need to enforce HTTPS-only must populate that allowlist. clientSecretBasic: $ref: '#/components/schemas/TenantIdentityBasicClientSecretRequest' description: Client-secret basic authentication settings for token delegation subjectTokenAudience: type: string description: >- Audience value placed on the intermediate JWT-SVID posted to the exchange endpoint. required: - tokenEndpoint - subjectTokenAudience description: |- RFC 8693 token exchange callback configuration. Omit `clientSecretBasic` entirely for auth method `none`; include it for `client_secret_basic`. Because PUT is full-replace, omitting `clientSecretBasic` on a subsequent update **clears** any previously-stored credentials and switches the org back to no-auth. To keep basic-auth across updates, re-supply `clientId` and `clientSecret` on every PUT — Core never returns the raw secret (only its hash), so the secret must be available to the caller. title: TenantIdentityTokenDelegationCreateOrUpdateRequest TenantIdentityBasicClientSecretResponse: type: object properties: clientId: type: string description: Client identifier used for basic client-secret authentication clientSecretHash: type: string description: SHA-256 hash of the raw secret. description: >- Public half of `client_secret_basic` credentials. Only the SHA-256 hash of the secret is returned. title: TenantIdentityBasicClientSecretResponse TenantIdentityTokenDelegation: type: object properties: tokenEndpoint: type: string format: uri description: Token endpoint used to exchange delegated Tenant identity tokens clientSecretBasic: $ref: '#/components/schemas/TenantIdentityBasicClientSecretResponse' description: Client-secret basic authentication settings for token delegation subjectTokenAudience: type: string description: Audience value expected on the subject token created: type: string format: date-time description: Date/time when the token delegation configuration was created updated: type: string format: date-time description: Date/time when the token delegation configuration was last updated description: Current token delegation configuration for the org. title: TenantIdentityTokenDelegation NiCoApiErrorSource: type: string enum: - nico description: Source of the error. title: NiCoApiErrorSource NiCoApiErrorData: type: object properties: {} description: Additional data about the error title: NiCoApiErrorData NICoAPIError: type: object properties: source: $ref: '#/components/schemas/NiCoApiErrorSource' description: Source of the error. message: type: string description: Message describing the error data: oneOf: - $ref: '#/components/schemas/NiCoApiErrorData' - type: 'null' description: Additional data about the error description: Describes the error response from NVIDIA Infra Controller REST API title: NICoAPIError securitySchemes: JWTBearerToken: type: http scheme: bearer description: >- ``` export JWT_BEARER_TOKEN="" # Example org name: "acme-inc export ORG_NAME= # Use the JWT bearer token in your API request auth header: curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current ``` ``` ## Examples ### Example 1 **Request** ```json { "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "subjectTokenAudience": "api.acme-inc.com" } ``` **Response** ```json { "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "clientSecretBasic": { "clientId": "acme-client-01", "clientSecretHash": "sha256:3a7bd3e2360a3f4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b" }, "subjectTokenAudience": "api.acme-inc.com", "created": "2024-01-15T09:30:00Z", "updated": "2024-01-15T09:30:00Z" } ``` **SDK Code** ```python import requests url = "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation" payload = { "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "subjectTokenAudience": "api.acme-inc.com" } headers = { "Authorization": "Bearer ", "Content-Type": "application/json" } response = requests.put(url, json=payload, headers=headers) print(response.json()) ``` ```javascript const url = 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation'; const options = { method: 'PUT', headers: {Authorization: 'Bearer ', 'Content-Type': 'application/json'}, body: '{"tokenEndpoint":"https://auth.acme-inc.com/oauth2/token","subjectTokenAudience":"api.acme-inc.com"}' }; try { const response = await fetch(url, options); const data = await response.json(); console.log(data); } catch (error) { console.error(error); } ``` ```go package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation" payload := strings.NewReader("{\n \"tokenEndpoint\": \"https://auth.acme-inc.com/oauth2/token\",\n \"subjectTokenAudience\": \"api.acme-inc.com\"\n}") req, _ := http.NewRequest("PUT", url, payload) req.Header.Add("Authorization", "Bearer ") req.Header.Add("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := io.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```ruby require 'uri' require 'net/http' url = URI("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true request = Net::HTTP::Put.new(url) request["Authorization"] = 'Bearer ' request["Content-Type"] = 'application/json' request.body = "{\n \"tokenEndpoint\": \"https://auth.acme-inc.com/oauth2/token\",\n \"subjectTokenAudience\": \"api.acme-inc.com\"\n}" response = http.request(request) puts response.read_body ``` ```java import com.mashape.unirest.http.HttpResponse; import com.mashape.unirest.http.Unirest; HttpResponse response = Unirest.put("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation") .header("Authorization", "Bearer ") .header("Content-Type", "application/json") .body("{\n \"tokenEndpoint\": \"https://auth.acme-inc.com/oauth2/token\",\n \"subjectTokenAudience\": \"api.acme-inc.com\"\n}") .asString(); ``` ```php request('PUT', 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation', [ 'body' => '{ "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "subjectTokenAudience": "api.acme-inc.com" }', 'headers' => [ 'Authorization' => 'Bearer ', 'Content-Type' => 'application/json', ], ]); echo $response->getBody(); ``` ```csharp using RestSharp; var client = new RestClient("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation"); var request = new RestRequest(Method.PUT); request.AddHeader("Authorization", "Bearer "); request.AddHeader("Content-Type", "application/json"); request.AddParameter("application/json", "{\n \"tokenEndpoint\": \"https://auth.acme-inc.com/oauth2/token\",\n \"subjectTokenAudience\": \"api.acme-inc.com\"\n}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```swift import Foundation let headers = [ "Authorization": "Bearer ", "Content-Type": "application/json" ] let parameters = [ "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "subjectTokenAudience": "api.acme-inc.com" ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PUT" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error as Any) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ``` ### Example 2 **Request** ```json { "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "subjectTokenAudience": "api.acme-inc.com" } ``` **Response** ```json { "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "clientSecretBasic": { "clientId": "acme-client-01", "clientSecretHash": "sha256:3a7bd3e2360a3f4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b" }, "subjectTokenAudience": "api.acme-inc.com", "created": "2024-01-15T09:30:00Z", "updated": "2024-01-15T09:30:00Z" } ``` **SDK Code** ```python import requests url = "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation" payload = { "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "subjectTokenAudience": "api.acme-inc.com" } headers = { "Authorization": "Bearer ", "Content-Type": "application/json" } response = requests.put(url, json=payload, headers=headers) print(response.json()) ``` ```javascript const url = 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation'; const options = { method: 'PUT', headers: {Authorization: 'Bearer ', 'Content-Type': 'application/json'}, body: '{"tokenEndpoint":"https://auth.acme-inc.com/oauth2/token","subjectTokenAudience":"api.acme-inc.com"}' }; try { const response = await fetch(url, options); const data = await response.json(); console.log(data); } catch (error) { console.error(error); } ``` ```go package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation" payload := strings.NewReader("{\n \"tokenEndpoint\": \"https://auth.acme-inc.com/oauth2/token\",\n \"subjectTokenAudience\": \"api.acme-inc.com\"\n}") req, _ := http.NewRequest("PUT", url, payload) req.Header.Add("Authorization", "Bearer ") req.Header.Add("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := io.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```ruby require 'uri' require 'net/http' url = URI("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true request = Net::HTTP::Put.new(url) request["Authorization"] = 'Bearer ' request["Content-Type"] = 'application/json' request.body = "{\n \"tokenEndpoint\": \"https://auth.acme-inc.com/oauth2/token\",\n \"subjectTokenAudience\": \"api.acme-inc.com\"\n}" response = http.request(request) puts response.read_body ``` ```java import com.mashape.unirest.http.HttpResponse; import com.mashape.unirest.http.Unirest; HttpResponse response = Unirest.put("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation") .header("Authorization", "Bearer ") .header("Content-Type", "application/json") .body("{\n \"tokenEndpoint\": \"https://auth.acme-inc.com/oauth2/token\",\n \"subjectTokenAudience\": \"api.acme-inc.com\"\n}") .asString(); ``` ```php request('PUT', 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation', [ 'body' => '{ "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "subjectTokenAudience": "api.acme-inc.com" }', 'headers' => [ 'Authorization' => 'Bearer ', 'Content-Type' => 'application/json', ], ]); echo $response->getBody(); ``` ```csharp using RestSharp; var client = new RestClient("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation"); var request = new RestRequest(Method.PUT); request.AddHeader("Authorization", "Bearer "); request.AddHeader("Content-Type", "application/json"); request.AddParameter("application/json", "{\n \"tokenEndpoint\": \"https://auth.acme-inc.com/oauth2/token\",\n \"subjectTokenAudience\": \"api.acme-inc.com\"\n}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```swift import Foundation let headers = [ "Authorization": "Bearer ", "Content-Type": "application/json" ] let parameters = [ "tokenEndpoint": "https://auth.acme-inc.com/oauth2/token", "subjectTokenAudience": "api.acme-inc.com" ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/token-delegation")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PUT" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error as Any) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```