Authentication
Home > The Dockfile > Auth
Dockrion supports multiple authentication modes for protecting your agent’s API. The auth section in the Dockfile configures how callers prove their identity.
Auth Mode Comparison
Section titled “Auth Mode Comparison”| Mode | Config key | Status | Best for |
|---|---|---|---|
none | mode: none | Implemented | Internal/dev agents with no auth needed |
api_key | mode: api_key | Implemented | Simple deployments, single or multi-key setups |
jwt | mode: jwt | Implemented | Enterprise SSO, external identity providers |
oauth2 | mode: oauth2 | Coming soon | Token introspection via external OAuth2 server |
The default mode is api_key. If you omit the auth section entirely, no authentication middleware is applied (same as mode: none).
Decision Guide
Section titled “Decision Guide”- Just getting started? Skip auth or use
mode: none. You can always add it later withdockrion add auth. - Deploying to production? Use
mode: api_keyfor simplicity, ormode: jwtif you already have an identity provider. - Multiple teams or roles? Define
rolesandrate_limitsunder auth, regardless of mode.
In This Section
Section titled “In This Section”| Page | What it covers |
|---|---|
| API Key | env_var, header, prefix, allow_bearer, multi-key setup |
| JWT | JWKS, static public key, claims mapping, algorithms |
| OAuth2 | Token introspection (coming soon) |
| Roles & Rate Limits | Role definitions, permissions, rate limit syntax |
Dockfile Structure
Section titled “Dockfile Structure”auth: mode: api_key # or: none, jwt, oauth2 api_keys: # only relevant when mode: api_key env_var: DOCKRION_API_KEY header: X-API-Key allow_bearer: true jwt: # only relevant when mode: jwt jwks_url: https://... algorithms: [RS256] roles: # works with any mode - name: admin permissions: [deploy, invoke, view_metrics] rate_limits: # per-role rate limits admin: "1000/hour" default: "100/hour"Source:
AuthConfiginpackages/schema/dockrion_schema/dockfile_v1.py
Up: The Dockfile | Next: 2.4 Policies →