Feature Request: Dynamic JWT Issuer Registration

Noumena Runtime
1

Problem:

Adding new organizations to NPL Engine requires updating ENGINE_ALLOWED_ISSUERS and restarting the Engine, which causes downtime and doesn’t scale for multi-tenant SaaS.

Request:

REST API to manage trusted JWT issuers at runtime:

  • POST /admin/issuers - Register new issuer

  • DELETE /admin/issuers/{issuer_url} - Remove issuer

  • GET /admin/issuers - List registered issuers

Requirements:

  • No Engine restart required

  • Changes persist across restarts

  • Admin authentication required

  • Verify JWKS is accessible before accepting

  • Audit logging

Use Case:

Organizations subscribe to NPL Engine operators dynamically. When an organization subscribes, they (or the Engine operator) register the organization’s IAM issuer (Keycloak, Google Workspace, Azure AD, etc.) without impacting other organizations or requiring Engine downtime.

Priority: High (blocks multi-tenant SaaS deployment model)

2

Hi @jk-nd , thanks for the request.

Before going into the merits of the proposed solution, I do have questions on the actual use case because it hinges on having a single engine instance functioning as a multi-tenant SaaS provider.

An alternative option would be to have one engine per application; and to use a separate orchestrator for deployments. This has many advantages when it comes to controlled version upgrades. It also allows for more fine-grained control on other important settings such as the ENGINE_ADVERTISED_BASE_URL and the various feature flags. This is the exact set-up we’re using at NOUMENA Cloud.

Is there a specific reason this is not an option for you?

Furthermore, the main driver behind this request seems to be the concern for downtime. Have you considered using horizontal scaling and staggered deployments?

3

Hi @yigal: thanks for your swift answer.

The use case is a publically accessible service to manage stateful multi-agent workflows with fine-grained controls in NPL. Workflows are either based on an existing library of NPL packages (e.g., purchase order workflow) or generated on the fly. Agents are parties on such workflows. They are associated with an organization and receive their JWT from the IAM of the respective organization.

Workflows are also desirable, in which certain parties are added after instantiation of the workflows (e.g., auditor, QA manager). These might receive their JWT from yet unregistered issuers. Having a dynamic way of registering such new JWT issuers seemed like the fastest and most straightforward solution.