> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.nvidia.com/infra-controller/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/infra-controller/_mcp/server. # Retrieve Tenant Identity Configuration for current Org GET https://nico-rest-api.nico.svc.cluster.local/v2/org/{org}/nico/site/{siteID}/tenant-identity/config Retrieve the tenant identity configuration and signing key metadata. User must have authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. The response reflects the stored configuration. Fields you omitted on PUT may be filled in by Core: `allowedAudiences` defaults to `[defaultAudience]`, and `subjectPrefix` defaults to the issuer's trust domain. `signingKeys` lists one entry normally, or two during a key-rotation overlap. Reference: https://docs.nvidia.com/infra-controller/infra-controller/rest-api-reference/api-reference/tenant-identity/get-tenant-identity-config ## OpenAPI Specification ```yaml openapi: 3.1.0 info: title: NVIDIA Infra Controller REST API version: 1.0.0 paths: /v2/org/{org}/nico/site/{siteID}/tenant-identity/config: get: operationId: get-tenant-identity-config summary: Retrieve Tenant Identity Configuration for current Org description: >- Retrieve the tenant identity configuration and signing key metadata. User must have authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. The response reflects the stored configuration. Fields you omitted on PUT may be filled in by Core: `allowedAudiences` defaults to `[defaultAudience]`, and `subjectPrefix` defaults to the issuer's trust domain. `signingKeys` lists one entry normally, or two during a key-rotation overlap. tags: - subpackage_tenantIdentity parameters: - name: org in: path description: Name of the Org required: true schema: type: string - name: siteID in: path description: ID of the Site required: true schema: type: string format: uuid - name: Authorization in: header description: >- ``` export JWT_BEARER_TOKEN="" # Example org name: "acme-inc export ORG_NAME= # Use the JWT bearer token in your API request auth header: curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current ``` required: true schema: type: string responses: '200': description: Tenant identity configuration retrieved content: application/json: schema: $ref: '#/components/schemas/TenantIdentityConfig' '400': description: Error response when request data cannot be validated content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '403': description: >- Error response when user is not authorized to call an endpoint or retrieve/modify objects content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '404': description: Error response when requested object is not found content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '500': description: Response when the API handler encounters an unexpected error content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' '503': description: |- Core gRPC API is unavailable, or site-level machine identity is disabled (`enabled=false` in site config), so the request cannot be served. content: application/json: schema: $ref: '#/components/schemas/NICoAPIError' servers: - url: https://nico-rest-api.nico.svc.cluster.local description: Kubernetes Cluster components: schemas: TenantIdentitySigningKey: type: object properties: kid: type: string description: Key identifier; matches the `kid` published in JWKS for this key. alg: type: string description: Signing algorithm, e.g. `ES256`. currentSigner: type: boolean description: |- True when this key is the active signer for new JWT-SVIDs. Exactly one entry per response is `true`. expireAt: type: - string - 'null' format: date-time description: |- Set on the inactive (previous) key during the JWKS overlap window; the Core gRPC API deletes the inactive slot once `now >= expireAt`. Null on the current signer. required: - kid - alg - currentSigner description: |- A single JWT-SVID signing key entry returned in `TenantIdentityConfig.signingKeys`. Multiple entries appear during a key-rotation overlap window; in steady state only the active signer is listed. title: TenantIdentitySigningKey TenantIdentityConfig: type: object properties: org: type: string description: Organization that owns the Tenant identity configuration enabled: type: boolean description: Whether Tenant identity token delegation is enabled issuer: type: string description: Issuer URL for Tenant identity tokens defaultAudience: type: string description: Default audience used for Tenant identity tokens allowedAudiences: type: array items: type: string description: |- Stored allowlist of audience strings. Always non-empty: when a PUT supplied an empty list, the Core gRPC API substituted `[defaultAudience]` before persisting. Issuance rejects audiences outside this list. tokenTtlSeconds: type: integer description: Lifetime of issued Tenant identity tokens, in seconds subjectPrefix: type: string description: |- SPIFFE ID prefix used in the JWT `sub` claim. When the PUT body omitted `subjectPrefix`, Core stored `spiffe://` here, so the value returned by GET may differ from what was submitted. signingKeys: type: array items: $ref: '#/components/schemas/TenantIdentitySigningKey' description: |- Per-org signing keys currently published in JWKS. Exactly one entry has `currentSigner: true`. During a rotation overlap window a second entry is present with `currentSigner: false` and a populated `expireAt`; once the overlap window elapses the Core gRPC API deletes the expired entry and only the current signer remains. created: type: string format: date-time description: Date/time when the Tenant identity configuration was created updated: type: string format: date-time description: Date/time when the Tenant identity configuration was last updated description: |- Current tenant identity configuration plus the per-org signing key metadata (`signingKeys`). During a JWKS overlap window two entries appear; under steady state only the active signer is listed. Use `signingKeys[].kid` (filtering by `currentSigner`) instead of the legacy single `keyId` field, which was removed with the key-rotation change in NICo-core. title: TenantIdentityConfig NiCoApiErrorSource: type: string enum: - nico description: Source of the error. title: NiCoApiErrorSource NiCoApiErrorData: type: object properties: {} description: Additional data about the error title: NiCoApiErrorData NICoAPIError: type: object properties: source: $ref: '#/components/schemas/NiCoApiErrorSource' description: Source of the error. message: type: string description: Message describing the error data: oneOf: - $ref: '#/components/schemas/NiCoApiErrorData' - type: 'null' description: Additional data about the error description: Describes the error response from NVIDIA Infra Controller REST API title: NICoAPIError securitySchemes: JWTBearerToken: type: http scheme: bearer description: >- ``` export JWT_BEARER_TOKEN="" # Example org name: "acme-inc export ORG_NAME= # Use the JWT bearer token in your API request auth header: curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current ``` ``` ## Examples **Request** ```json {} ``` **Response** ```json { "org": "acme-corp", "enabled": true, "issuer": "https://auth.acme-corp.com/tenant-identity", "defaultAudience": "https://api.acme-corp.com", "allowedAudiences": [ "https://api.acme-corp.com", "https://services.acme-corp.com" ], "tokenTtlSeconds": 3600, "subjectPrefix": "spiffe://auth.acme-corp.com", "signingKeys": [ { "kid": "a1b2c3d4e5f6g7h8i9j0", "alg": "ES256", "currentSigner": true, "expireAt": null } ], "created": "2024-04-10T12:00:00Z", "updated": "2024-05-01T08:30:00Z" } ``` **SDK Code** ```python import requests url = "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config" payload = {} headers = { "Authorization": "Bearer ", "Content-Type": "application/json" } response = requests.get(url, json=payload, headers=headers) print(response.json()) ``` ```javascript const url = 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config'; const options = { method: 'GET', headers: {Authorization: 'Bearer ', 'Content-Type': 'application/json'}, body: '{}' }; try { const response = await fetch(url, options); const data = await response.json(); console.log(data); } catch (error) { console.error(error); } ``` ```go package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config" payload := strings.NewReader("{}") req, _ := http.NewRequest("GET", url, payload) req.Header.Add("Authorization", "Bearer ") req.Header.Add("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := io.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```ruby require 'uri' require 'net/http' url = URI("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true request = Net::HTTP::Get.new(url) request["Authorization"] = 'Bearer ' request["Content-Type"] = 'application/json' request.body = "{}" response = http.request(request) puts response.read_body ``` ```java import com.mashape.unirest.http.HttpResponse; import com.mashape.unirest.http.Unirest; HttpResponse response = Unirest.get("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config") .header("Authorization", "Bearer ") .header("Content-Type", "application/json") .body("{}") .asString(); ``` ```php request('GET', 'https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config', [ 'body' => '{}', 'headers' => [ 'Authorization' => 'Bearer ', 'Content-Type' => 'application/json', ], ]); echo $response->getBody(); ``` ```csharp using RestSharp; var client = new RestClient("https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config"); var request = new RestRequest(Method.GET); request.AddHeader("Authorization", "Bearer "); request.AddHeader("Content-Type", "application/json"); request.AddParameter("application/json", "{}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```swift import Foundation let headers = [ "Authorization": "Bearer ", "Content-Type": "application/json" ] let parameters = [] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "GET" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error as Any) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```