Skip to main content
This guide walks you through configuring the jwt-validation Traffic Policy action to validate tokens you issue from Auth0 on an ngrok-managed domain (referred to as <YOUR_NGROK_DOMAIN> below).

What you’ll need

1. Define your API in Auth0

If you’ve already done this, skip to the next section.
  • Sign in to your Auth0 tenant dashboard.
  • Select Applications > APIs, then + Create API.
  • Name your API whatever you like.
  • Replace the value of the Identifier field with <YOUR_NGROK_DOMAIN>.
  • Leave the default values for JSON Web Token (JWT) Profile and JSON Web Token Signing Algorithm.
  • Click Create.
After creating your API, you can define and add scopes in the Permissions tab. Those values will be populated in the scope claim of your JWT.

2. Access your JWT

When you create a new API, Auth0 creates an associated application under Applications > APIs in the left navigation. Open that application and click the Test tab. There you will find a signed, fully functional JWT and examples for generating others programmatically.

3. Create a Machine to Machine application

When you create your API in Auth0, it may automatically create a new Machine to Machine application and authorize it to use your new API. If you added scopes for your API, add them to the new application in the Machine to Machine Applications tab of your new API. If no Machine to Machine app was created, create one and select your new API when prompted.

4. Configure the jwt-validation Traffic Policy action

You now have what you need to configure JWT validation in Traffic Policy. The following is an example Traffic Policy configuration for enabling the action with your Auth0 settings. Customize the variables in issuer.allow_list.value, audience.allow_list.value, and jws.keys.sources.additional_jkus as needed.
  • Find <YOUR_TENANT_ID> and <AUTH0_REGION> in your Auth0 dashboard.
  • <YOUR_NGROK_ID> must match what you entered in Auth0 as the Identifier.
You can take the example token from the Test tab of your Auth0 application and decode it (for example using a JWT decoder) to discover and customize the values as follows:

5. Test JWT validation on your endpoint

Start your endpoint with the new Traffic Policy rule applied, then test it with curl:
If you see the response from your API, the integration is working. You can confirm by sending a malformed token. If you get an error with a valid token, double-check that your issuer and audience values are correct in your Traffic Policy rule.