Authentication

Inbound authentication controls who can access your agents by validating tokens from identity providers before routing requests to hosted agents.

OCI Generative AI supports OAuth 2.0 for inbound authentication, integrated with identity providers such as Oracle Identity Cloud Service (IDCS). See Setting up Authentication for Agentic Support.

With outbound authentication, deployed agent applications can securely access other OCI resources within a tenancy.

Access is granted by defining OCI IAM policies that authorize the agent application (as a resource principal) to perform specific actions on specified resources. These policies decide the scope of access based on the principle of least privilege.

After deployment, the platform automatically provisions a Resource Principal Session Token (RPST) for the agent workload. The RPST is securely injected into the container runtime, allowing the application to authenticate to OCI services without using long-lived credentials such as API keys or user tokens.

Within the container, the agent uses the OCI SDK with the resource principal authentication provider. The SDK automatically retrieves and refreshes the RPST, enabling secure access to authorized OCI services such as Object Storage, Autonomous Database, Vault, and Streaming.