> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.nvidia.com/infra-controller/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/infra-controller/_mcp/server. # Retrieve OIDC JWKS for current Org GET https://nico-rest-api.nico.svc.cluster.local/v2/org/{org}/nico/site/{siteID}/.well-known/jwks.json Public RFC 7517 JSON Web Key Set for JWT-SVID signature verification (`use: sig`). No authentication required. NICo currently issues `ES256` signatures over `P-256` keys. Returns `404 Not Found` when no identity configuration exists for this org/site, and `502 Bad Gateway` when the Core gRPC API returns a malformed body. See the Tenant Identity tag description for consumer guidance during key rotation. Reference: https://docs.nvidia.com/infra-controller/infra-controller/rest-api-reference/api-reference/tenant-identity/get-jwks ## OpenAPI Specification ```yaml openapi: 3.1.0 info: title: NVIDIA Infra Controller REST API version: 1.0.0 paths: /v2/org/{org}/nico/site/{siteID}/.well-known/jwks.json: get: operationId: get-jwks summary: Retrieve OIDC JWKS for current Org description: >- Public RFC 7517 JSON Web Key Set for JWT-SVID signature verification (`use: sig`). No authentication required. NICo currently issues `ES256` signatures over `P-256` keys. Returns `404 Not Found` when no identity configuration exists for this org/site, and `502 Bad Gateway` when the Core gRPC API returns a malformed body. See the Tenant Identity tag description for consumer guidance during key rotation. tags: - subpackage_tenantIdentity parameters: - name: org in: path description: Name of the Org required: true schema: type: string - name: siteID in: path description: ID of the Site required: true schema: type: string format: uuid responses: '200': description: JWKS document. content: application/json: schema: $ref: '#/components/schemas/TenantIdentityJWKS' '404': description: Error response when requested object is not found content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '500': description: Response when the API handler encounters an unexpected error content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '502': description: Response when the API handler encounters an unexpected error content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '503': description: Response when the API handler encounters an unexpected error content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' servers: - url: https://nico-rest-api.nico.svc.cluster.local description: Kubernetes Cluster components: schemas: TenantIdentityJwksKeysItems: type: object properties: kty: type: string use: type: string description: '`sig` for OIDC JWKS, `jwt-svid` for SPIFFE JWKS' crv: type: string kid: type: string x: type: string description: Base64url-encoded EC x coordinate 'y': type: string description: Base64url-encoded EC y coordinate alg: type: string title: TenantIdentityJwksKeysItems TenantIdentityJWKS: type: object properties: keys: type: array items: $ref: '#/components/schemas/TenantIdentityJwksKeysItems' description: |- RFC 7517 JWK members. NICo currently emits only EC keys (`kty: EC`, `crv: P-256`, `alg: ES256`); the schema is intentionally open-ended so that future algorithms can be added without a spec change. required: - keys description: |- RFC 7517 JSON Web Key Set. NICo-rest returns this schema only on `200 OK`; in that case the `keys` member is present. The Core gRPC API normally returns one key, or two during a rotation overlap window. When no identity configuration exists for the org/site, the JWKS endpoints return `404 Not Found`. title: TenantIdentityJWKS NiCoApiErrorSource: type: string enum: - nico description: Source of the error. title: NiCoApiErrorSource NiCoApiErrorData: type: object properties: {} description: Additional data about the error title: NiCoApiErrorData NICoAPIError: type: object properties: source: $ref: '#/components/schemas/NiCoApiErrorSource' description: Source of the error. message: type: string description: Message describing the error data: oneOf: - $ref: '#/components/schemas/NiCoApiErrorData' - type: 'null' description: Additional data about the error description: Describes the error response from NVIDIA Infra Controller REST API title: NICoAPIError ``` ## Examples **Request** ```json {} ``` **Response** ```json { "keys": [ { "kty": "EC", "use": "sig", "crv": "P-256", "kid": "a1b2c3d4e5f67890123456789abcdef0", "x": "f83OJ3D2xF4v1Q6X9J7vZ9Q1X9v7Q2X9v7Q1X9v7Q2X9v7Q1", "y": "x_FEzRu9v7Q1X9v7Q2X9v7Q1X9v7Q2X9v7Q1X9v7Q2X9v7Q1X", "alg": "ES256" } ] } ``` **SDK Code** ```python import requests url = "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/.well-known/jwks.json" payload = {} headers = {"Content-Type": "application/json"} response = requests.get(url, json=payload, headers=headers) print(response.json()) ``` ```javascript const url = 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/.well-known/jwks.json'; const options = {method: 'GET', headers: {'Content-Type': 'application/json'}, body: '{}'}; try { const response = await fetch(url, options); const data = await response.json(); console.log(data); } catch (error) { console.error(error); } ``` ```go package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/.well-known/jwks.json" payload := strings.NewReader("{}") req, _ := http.NewRequest("GET", url, payload) req.Header.Add("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := io.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```ruby require 'uri' require 'net/http' url = URI("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/.well-known/jwks.json") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true request = Net::HTTP::Get.new(url) request["Content-Type"] = 'application/json' request.body = "{}" response = http.request(request) puts response.read_body ``` ```java import com.mashape.unirest.http.HttpResponse; import com.mashape.unirest.http.Unirest; HttpResponse response = Unirest.get("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/.well-known/jwks.json") .header("Content-Type", "application/json") .body("{}") .asString(); ``` ```php request('GET', 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/.well-known/jwks.json', [ 'body' => '{}', 'headers' => [ 'Content-Type' => 'application/json', ], ]); echo $response->getBody(); ``` ```csharp using RestSharp; var client = new RestClient("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/.well-known/jwks.json"); var request = new RestRequest(Method.GET); request.AddHeader("Content-Type", "application/json"); request.AddParameter("application/json", "{}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```swift import Foundation let headers = ["Content-Type": "application/json"] let parameters = [] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/.well-known/jwks.json")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "GET" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error as Any) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```