Agent Management
OAuth2 credentials
OAuth2 just-in-time (JIT) token exchange lets Tragentics exchange client credentials for a short-lived access token before each proxy call. This is ideal for endpoints that support the OAuth2 client_credentials grant type.
What OAuth2 JIT is
Instead of storing a long-lived API key that gets injected into every request, OAuth2 JIT exchanges your client credentials for a short-lived access token right before a proxy call. The token is used once (or cached until it expires), limiting exposure if intercepted.
client_credentials grant type exclusively. This is a machine-to-machine flow — no user interaction or redirect is involved. It is suited for service accounts and API integrations.When to use it
Use OAuth2 credentials when your agent's endpoint supports the OAuth2 client_credentials grant. Common scenarios include:
- Enterprise APIs that issue short-lived tokens via a token endpoint
- Cloud services with OAuth2 machine-to-machine authentication
- Internal APIs protected by an identity provider (e.g., Auth0, Okta, Azure AD)
- Any endpoint where you have a client ID and client secret instead of a static API key
Configuration fields
| Field | Required | Description |
|---|---|---|
| Token endpoint URL | Yes | The HTTPS URL where Tragentics sends the token exchange request (for example, your identity provider's token endpoint). |
| Client ID | Yes | The OAuth2 client identifier. Encrypted at rest with AES-256-GCM. |
| Client secret | Yes | The OAuth2 client secret. Encrypted at rest with AES-256-GCM. Entered via a masked password field. |
| Scopes | No | Space-separated list of OAuth2 scopes to request. If blank, the token endpoint's default scope is used. |
| Token expiry override | No | Override the token lifetime in seconds. If not set, Tragentics uses the expiry returned by the token endpoint. |
How it works
Proxy receives an inbound call
A caller sends a request through the Tragentics proxy targeting your agent.
Check for cached token
The proxy checks its server-side memory cache for a valid, unexpired access token for this agent. If a valid token exists, it skips the exchange and uses the cached token.
Exchange credentials for token
If no cached token exists (or it has expired), the proxy sends a client_credentials grant request to your token endpoint URL with the decrypted client ID and secret. The returned access token is cached in server memory.
Inject token and forward
The access token is injected into the Authorization: Bearer header of the outgoing request, which is then forwarded to your agent's endpoint URL.
Priority order
The live credential order is: time-scope check first, then OAuth2 JIT if a complete OAuth2 configuration is enabled, then the static endpoint API key as the final fallback. If OAuth2 is incomplete or disabled, the proxy falls back to the static key path.
Clearing OAuth2 configuration
To disable OAuth2 JIT, clear the token endpoint URL, client ID, and client secret fields in the Settings tab and save. The proxy reverts to using the static endpoint credential (if one is stored). OAuth2 tokens are cached only in server memory, so the cached token path naturally expires with the saved configuration.
Next
To add a cryptographic identity layer so a leaked token can't impersonate your agent, see Ed25519 Authentication →