Skip to content
Stoma

jwtAuth

jwtAuth(config): Policy

Defined in: src/policies/auth/jwt-auth.ts:82

Validate JWT tokens and optionally forward claims as upstream headers.

Supports both HMAC (shared secret) and RSA (JWKS endpoint) verification. JWKS responses are cached for 5 minutes. The none algorithm is always rejected to prevent signature bypass attacks.

Parameters

Section titled “Parameters”

config

Section titled “config”

JwtAuthConfig

JWT authentication settings. Requires either secret (HMAC) or jwksUrl (RSA).

Returns

Section titled “Returns”

Policy

A Policy at priority 10 (runs early, before rate limiting).

Example

Section titled “Example”
// HMAC verification with a shared secret
createGateway({
  routes: [{
    path: "/api/*",
    pipeline: {
      policies: [jwtAuth({ secret: env.JWT_SECRET })],
      upstream: { type: "url", target: "https://backend.internal" },
    },
  }],
});


// JWKS verification (e.g. Supabase, Auth0) with claim forwarding
jwtAuth({
  jwksUrl: "https://your-project.supabase.co/auth/v1/.well-known/jwks.json",
  issuer: "https://your-project.supabase.co/auth/v1",
  forwardClaims: { sub: "x-user-id", email: "x-user-email" },
});