Security Configuration

The Security section configures how AI agents authenticate with the Vectra gateway.

Class: Vectra.BuildingBlocks.Configuration.Security.SecurityConfiguration

---

Agent Authentication

Class: AgentAuthConfiguration

Property	Type	Default	Description
Provider	AgentAuthProviderType	SelfSigned	Authentication provider: SelfSigned or Jwt
SelfSigned	SelfSignedProvider	{}	Self-signed JWT configuration
Jwt	JwtProvider	—	External JWT configuration

SelfSigned Provider

Vectra generates its own signing key and issues tokens internally. This is the simplest setup and suitable for development or closed deployments.

"Security": {
  "AgentAuth": {
    "Provider": "SelfSigned"
  }
}

Jwt Provider

Tokens are validated against an external JWT authority (e.g., your own identity provider).

Property	Type	Description
Issuer	string	Expected token issuer
Audience	string	Expected token audience
SecretKey	string	HMAC signing key (for symmetric tokens)

"Security": {
  "AgentAuth": {
    "Provider": "Jwt",
    "Jwt": {
      "Issuer": "https://auth.example.com",
      "Audience": "vectra-gateway",
      "SecretKey": "your-secret-key"
    }
  }
}

---

Authentication Flow

1. An agent calls POST /tokens with its agentId and clientSecret.
2. Vectra validates the clientSecret using bcrypt (via BcryptSecretHasher).
3. On success, a JWT is issued containing:
   • sub — the agent's Guid ID
   • trust_score — the agent's current trust score (0.0–1.0)
   • exp — expiry
4. The agent includes the JWT in subsequent requests as Authorization: Bearer <token>.
5. AgentAuthMiddleware validates the token on every request and stores AgentId and TrustScore in HttpContext.Items.

---

Secret Management Integration

For production, avoid placing secrets in appsettings.json. Use the Secret Management integration to load keys from environment variables or Azure Key Vault.