Agent Management

OAuth2 credentials

OAuth2 just-in-time (JIT) token exchange lets Tragentics exchange client credentials for a short-lived access token before each proxy call. This is ideal for endpoints that support the OAuth2 client_credentials grant type.

What OAuth2 JIT is

Instead of storing a long-lived API key that gets injected into every request, OAuth2 JIT exchanges your client credentials for a short-lived access token right before a proxy call. The token is used once (or cached until it expires), limiting exposure if intercepted.

OAuth2 JIT uses the client_credentials grant type exclusively. This is a machine-to-machine flow — no user interaction or redirect is involved. It is suited for service accounts and API integrations.

When to use it

Use OAuth2 credentials when your agent's endpoint supports the OAuth2 client_credentials grant. Common scenarios include:

  • Enterprise APIs that issue short-lived tokens via a token endpoint
  • Cloud services with OAuth2 machine-to-machine authentication
  • Internal APIs protected by an identity provider (e.g., Auth0, Okta, Azure AD)
  • Any endpoint where you have a client ID and client secret instead of a static API key

Configuration fields

FieldRequiredDescription
Token endpoint URLYesThe HTTPS URL where Tragentics sends the token exchange request (for example, your identity provider's token endpoint).
Client IDYesThe OAuth2 client identifier. Encrypted at rest with AES-256-GCM.
Client secretYesThe OAuth2 client secret. Encrypted at rest with AES-256-GCM. Entered via a masked password field.
ScopesNoSpace-separated list of OAuth2 scopes to request. If blank, the token endpoint's default scope is used.
Token expiry overrideNoOverride the token lifetime in seconds. If not set, Tragentics uses the expiry returned by the token endpoint.
All three required fields (token endpoint URL, client ID, and client secret) must be provided together. If any one is missing, OAuth2 JIT is not activated and the proxy falls back to the static endpoint credential.

How it works

1

Proxy receives an inbound call

A caller sends a request through the Tragentics proxy targeting your agent.

2

Check for cached token

The proxy checks its server-side memory cache for a valid, unexpired access token for this agent. If a valid token exists, it skips the exchange and uses the cached token.

3

Exchange credentials for token

If no cached token exists (or it has expired), the proxy sends a client_credentials grant request to your token endpoint URL with the decrypted client ID and secret. The returned access token is cached in server memory.

4

Inject token and forward

The access token is injected into the Authorization: Bearer header of the outgoing request, which is then forwarded to your agent's endpoint URL.

Priority order

The live credential order is: time-scope check first, then OAuth2 JIT if a complete OAuth2 configuration is enabled, then the static endpoint API key as the final fallback. If OAuth2 is incomplete or disabled, the proxy falls back to the static key path.

Clearing OAuth2 configuration

To disable OAuth2 JIT, clear the token endpoint URL, client ID, and client secret fields in the Settings tab and save. The proxy reverts to using the static endpoint credential (if one is stored). OAuth2 tokens are cached only in server memory, so the cached token path naturally expires with the saved configuration.

Next

To add a cryptographic identity layer so a leaked token can't impersonate your agent, see Ed25519 Authentication →