LlamaIndex SDK — Agent delegation

Before you write any code, two things need to exist in the AuthSec UI: an AI Agent client (gives your agent an identity) and a trust delegation (declares what that agent is allowed to do). Only then does the SDK have something to talk to.

Step 1 — Register the AI Agent

In the sidebar, go to Clients → MCP Servers / AI Agents.
Click Onboard New Client.
In the modal, select AI Agent.
Enter an AI Agent Name (e.g., Customer Support).
Choose the Platform your agent runs on (e.g., Kubernetes).
Fill in the platform selectors that identify the workload at runtime:

Key Example value
k8s:ns production
k8s:sa customer-support-sa
k8s:pod-label:app customer-support
k8s:container-name agent
Click + Onboard.

Key	Example value
`k8s:ns`	`production`
`k8s:sa`	`customer-support-sa`
`k8s:pod-label:app`	`customer-support`
`k8s:container-name`	`agent`

After onboarding, the client detail page shows the Client ID — copy it. You'll set it as AUTHSEC_AGENT_CLIENT_ID in your environment.

Step 2 — Create a trust delegation

Trust delegation tells AuthSec which roles and actions the agent may request tokens for.

In the sidebar, click Trust Delegation.
Click Create trust delegation.
Define context:
- Set the Role the delegation applies to.
- Set Target Type to LlamaIndex AI agent.
- Under Client / Application, select the agent you just registered.
Assign permissions: choose the Allowed Actions the agent can perform. You can select individual actions or use Select All.
Set duration: enter a Maximum Duration and unit (e.g., 1 Hour). Use the shortest window that fits your use case.
Click Create Trust Delegation. A successful save returns you to the Trust Delegation dashboard.

Step 3 — Install the SDK

pip install authsec-llamaindex

The package is on PyPI.

Verify:

python -c "from authsec_llamaindex import AuthSecSecureReader; print('OK')"

Also install the required dependencies:

pip install "llama-index-core>=0.10" "authsec-langchain-sdk" "requests"

Step 4 — Configure the client

import os
from authsec_llamaindex import AuthSecSecureReader

reader = AuthSecSecureReader(
    base_url=os.environ["AUTHSEC_BASE_URL"],
    client_id=os.environ["AUTHSEC_AGENT_CLIENT_ID"],  # from Step 1
)

The reader caches the delegation token internally and only hits the network on first call or after expiry.

Step 5 — Load data with delegation

Call reader.load_data() with the endpoint of a protected API. The reader calls get_delegation_token() internally and passes the JWT as a Bearer token to the endpoint.

from llama_index.core import VectorStoreIndex

documents = reader.load_data(endpoint=os.environ["DOWNSTREAM_URL"] + "/docs")
index = VectorStoreIndex.from_documents(documents)
query_engine = index.as_query_engine()
response = query_engine.query("Summarise the latest billing records.")
print(response)

Step 6 — Run the smoke test

export AUTHSEC_BASE_URL="https://your-authsec-server"
export AUTHSEC_AGENT_CLIENT_ID="your-client-id"
python examples/smoke_local.py

On Windows (PowerShell):

$env:AUTHSEC_BASE_URL = "https://your-authsec-server"
$env:AUTHSEC_AGENT_CLIENT_ID = "your-client-id"
python examples/smoke_local.py

How the delegation token endpoint works

The SDK calls one endpoint under the hood:

Method	Path
`GET`	`/authsec/uflow/sdk/delegation-token?client_id=<id>`

Response:

{ "token": "<RS256 JWT>", "expires_at": "2026-05-21T07:25:36Z" }

Set base_url to your AuthSec server root — the SDK appends /authsec/... automatically.

Step 1 — Register the AI Agent​

Step 2 — Create a trust delegation​

Step 3 — Install the SDK​

Step 4 — Configure the client​

Step 5 — Load data with delegation​

Step 6 — Run the smoke test​

How the delegation token endpoint works​