JWT Authentication

Use JWT auth when callers present signed bearer tokens and you want signature and expiry verification at gateway runtime.

What this method does

• Authorization: Bearer <jwt>
• X-Client-ID
• X-Profile-ID

When to use

• Partner/client integrations already issuing JWTs
• Environments where token claims are part of integration design
• Deployments needing stronger validation than static tokens

How to configure

1. Set profile auth type to jwt.
2. Configure signing key / verification settings used by your profile.
3. Bind profile to collection scope and method rules.
4. Publish and test with valid + invalid JWTs.

Example

curl -i https://gateway.example.com/orders/123 \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Client-ID: acme-mobile" \
  -H "X-Profile-ID: partner-prod" \
  -H "Accept: application/json"

Verify

1. Valid JWT for configured profile -> 200.
2. Expired token or bad signature -> 401.
3. Valid JWT with out-of-scope profile -> 403.
4. Blocked method -> 405.

Troubleshoot

• Repeated 401: check signing key mismatch and token expiry.
• Repeated 403: check profile binding, methods, and IP rules.
• Noisy 429: check policy rate/quota settings.

Related docs

• Access Control Overview
• Profiles
• OIDC Authentication
• Request Logs