From ea9790aedb54cd0be6d0f4fa9c3b2b8da71a0b58 Mon Sep 17 00:00:00 2001 From: "madison.packer" Date: Wed, 1 Jul 2026 20:19:19 +0000 Subject: [PATCH] Read org_id claim instead of organization_id for agent access tokens The server now emits org_id as the canonical claim. Update the SDK to read org_id from the JWT payload when validating agent access tokens. Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- src/agents/agents.spec.ts | 4 ++-- src/agents/agents.ts | 2 +- src/agents/interfaces/validate-agent-credential.interface.ts | 2 +- .../serializers/validate-agent-credential.serializer.ts | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/agents/agents.spec.ts b/src/agents/agents.spec.ts index 2cdfc7bde..204f83433 100644 --- a/src/agents/agents.spec.ts +++ b/src/agents/agents.spec.ts @@ -15,7 +15,7 @@ const ACCESS_TOKEN_PAYLOAD = { aud: 'proj_123', sub: 'agent_reg_01EHZNVPK3SFK441A1RGBFSHRT', jti: '01EHZNVPK3SFK441A1RGBFSHRT', - organization_id: 'org_01EHZNVPK3SFK441A1RGBFSHRT', + org_id: 'org_01EHZNVPK3SFK441A1RGBFSHRT', scope: 'read write', exp: 4102444800, // 2100-01-01T00:00:00Z iat: 1689646039, @@ -225,7 +225,7 @@ describe('Agents', () => { it('reports invalid for a token missing the agent identity claims', async () => { // A token signed by the same JWKS with the right audience but without - // the agent claims (sub/jti/organization_id) is not an agent credential. + // the agent claims (sub/jti/org_id) is not an agent credential. const { sub, ...withoutSub } = ACCESS_TOKEN_PAYLOAD; jest .mocked(jose.jwtVerify) diff --git a/src/agents/agents.ts b/src/agents/agents.ts index 55e561189..c2362612a 100644 --- a/src/agents/agents.ts +++ b/src/agents/agents.ts @@ -30,7 +30,7 @@ function hasRequiredAgentClaims( (typeof payload.aud === 'string' || Array.isArray(payload.aud)) && typeof payload.sub === 'string' && typeof payload.jti === 'string' && - typeof payload.organization_id === 'string' && + typeof payload.org_id === 'string' && typeof payload.exp === 'number' && typeof payload.iat === 'number' ); diff --git a/src/agents/interfaces/validate-agent-credential.interface.ts b/src/agents/interfaces/validate-agent-credential.interface.ts index 3b52384e6..23c76a910 100644 --- a/src/agents/interfaces/validate-agent-credential.interface.ts +++ b/src/agents/interfaces/validate-agent-credential.interface.ts @@ -79,7 +79,7 @@ export interface SerializedAgentAccessTokenClaims { aud: string | string[]; sub: string; jti: string; - organization_id: string; + org_id: string; exp: number; iat: number; scope?: string; diff --git a/src/agents/serializers/validate-agent-credential.serializer.ts b/src/agents/serializers/validate-agent-credential.serializer.ts index 26aa2362a..0afa94b71 100644 --- a/src/agents/serializers/validate-agent-credential.serializer.ts +++ b/src/agents/serializers/validate-agent-credential.serializer.ts @@ -50,7 +50,7 @@ export function deserializeAgentAccessTokenClaims( audience: payload.aud, registrationId: payload.sub, jti: payload.jti, - organizationId: payload.organization_id, + organizationId: payload.org_id, scope: payload.scope, actor: payload.act, expiresAt: payload.exp,