By validating JWTs at the network edge, you can: 🔒 Ensure only authenticated users can access your services.
⚡ Reduce backend load by rejecting unauthorized requests early.
🛡 Protect APIs from unauthorized access without modifying your upstream services.

🔍 What are the Benefits of Validating JWTs?

JWTs are commonly used in OAuth 2.0, OpenID Connect (OIDC), and API authentication flows. However, simply including a JWT in a request does not improve security. It must be verified to ensure:
  • The token is properly signed by a trusted provider.
  • The token has not expired.
  • The token contains the correct claims (e.g., roles, permissions).
By performing JWT validation at the edge, you can offload authentication tasks from your backend and prevent unauthorized access before requests reach your service. Key Benefits:
  • Enforcing Authentication: Ensure only authenticated users can access protected resources.
  • API Security & Access Control: Validate JWT claims to enforce role-based access (RBAC) or tenant restrictions.
  • Single Sign-On (SSO) Support: Accept tokens from OAuth, OpenID Connect (OIDC), or enterprise identity providers.
  • Reducing Backend Load: Offload JWT validation to the edge, reducing unnecessary authentication checks.

JWT Validation Examples

The following Traffic Policy configuration is an example configuration of the jwt-validation action. For a more real-world example, check out our Auth0 guide. A useful tool for working with JWTs is provided at jwt.io. Check out the JWT validation traffic policy action page for more details about how it functions and the parameters it accepts. 
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: AgentEndpoint
metadata:
name: example-agent-endpoint
spec:
url: https://example-hostname.ngrok.io
upstream:
  url: http://my-service.my-namespace:8080
trafficPolicy:
  inline:
    on_http_request:
      - actions:
          - type: jwt-validation
            config:
              issuer:
                allow_list:
                  - value: https://example.com/issuer
              audience:
                allow_list:
                  - value: urn:example:api
              http:
                tokens:
                  - type: access_token
                    method: header
                    name: Authorization
                    prefix: "Bearer "
                  - type: it+jwt
                    method: body
                    name: _id_token
              jws:
                allowed_algorithms:
                  - RS256
                  - ES256
                keys:
                  sources:
                    additional_jkus:
                      - https://example.com/issuer/jku