The JWT Validation Traffic Policy action enables you to validate JSON Web Tokens (JWT) on your endpoints before routing traffic to your upstream service. We have created guides for configuring this action with the following providers: A useful tool for working with JWTs is provided at jwt.io.

Configuration Reference

The Traffic Policy configuration reference for this action.

Supported Phases

on_http_request

Type

jwt-validation

Configuration Fields

issuer
object
Required
Configuration object for the Issuer(s) of the JWTs.
audience
object
Configuration object for the Audience(s) of the JWTs.
http
object
Required
Configuration object for the HTTP requests containing JWTs.
jws
object
Required
Configuration object for signed JWTs (JWS).

Behavior

Request Validation

The request is allowed only if it has been correctly signed by the issuer and the defined claims match. For efficient validation of tokens, it is recommended to include the optional kid claim in your JWTs and JWK payload. Custom validation can be implemented in Traffic Policies via the actions.ngrok.jwt_validation.tokens Action Result Variable and its corresponding properties.

Multiple Issuers

You can specify multiple issuers for JWT validation. A request is considered validated if it presents a JWT signed by any of the specified issuers. The issuer must exactly match the one provided in the JWT, including any trailing slashes (/) present in the iss claim.

Multiple Audience Claims

You can optionally specify one or more audience (aud) claims for JWT validation. If present, the aud claim must contain at least one of the specified audience claims and exactly match for validation to succeed.

Multiple Signing Keys

You can provide multiple JSON Web Key Set (JWKS) URLs and signing algorithms. During JWT validation the list of JWKS and algorithms provided will be used in an attempt to validate the JWT. The list will be tried in order and is cached for performance. The cache is refreshed roughly every 15 minutes.

Multiple Tokens

If multiple tokens are defined within the HTTP configuration parameter, all tokens must be present in the request. If all tokens are not present, a 401 Unauthorized status code will be returned.

Examples

Basic Example

The following Traffic Policy configuration is an example configuration of the jwt-validation action. For a more real-world example, check out our Auth0 guide.

Example Traffic Policy Document

on_http_request:
  - actions:
      - type: jwt-validation
        config:
          issuer:
            allow_list:
              - value: https://example.com/issuer
          audience:
            allow_list:
              - value: urn:example:api
          http:
            tokens:
              - type: access_token
                method: header
                name: Authorization
                prefix: 'Bearer '
              - type: it+jwt
                method: body
                name: _id_token
          jws:
            allowed_algorithms:
              - RS256
              - ES256
            keys:
              sources:
                additional_jkus:
                  - https://example.com/issuer/jku

Example Request

$ curl --request GET \
  --url http://example-api.ngrok.app/ \
  --header 'authorization: Bearer <VALID-JWT>'

HTTP/2 200 OK
content-type: text/html

...
In this example, we are sending a request to our API with a valid JWT token in the Authorization header with the Bearer prefix and getting back a 200 OK response.

Action Result Variables

The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.
actions.ngrok.jwt_validation.tokens
array of objects
The list of JSON Web Tokens (JWTs) processed by the action.
actions.ngrok.jwt_validation.error.code
string
A machine-readable code describing an error that occurred during the action’s execution.
actions.ngrok.jwt_validation.error.message
string
A human-readable message providing details about an error that occurred during the action’s execution.