Skip to main content

Security JWT

What this category is for

Use JWT nodes to decode tokens, verify signature/claims, or sign tokens inside workflows. This is runtime token handling and does not depend on gateway auth profile settings.

Node list table

Node typePurposeKey inputsBranch outputs
jwt_nodePerform decode, verify, or sign operations on JWTs.Config: operation, plus mode-specific fields (method, secret, jwks_url, issuer, audience, algorithm, expiry_seconds); Input: token for decode/verify, claims for signvalid, invalid (verify only)

Common patterns

1) Bearer token verification gate

  • Extract bearer token from request header into input token
  • Configure operation: verify, method: hs256, and secret
  • Route valid to business flow, invalid to 401 response

2) OIDC-style verification via JWKS

  • Configure operation: verify, method: jwks, jwks_url
  • Optionally enforce issuer and audience
  • Use payload claims downstream for authorization decisions

3) Token introspection-lite for logging

  • Configure operation: decode to inspect header/payload without signature enforcement
  • Use only for observability/debugging, not security decisions

4) Service token minting

  • Configure operation: sign with secret and optional expiry_seconds
  • Pass claims input from upstream set_node/code_node

Common mistakes and how to debug

  • Missing secret on hs256 verify/sign: verify returns invalid; sign returns execution error. Confirm config uses non-empty secret.
  • JWKS verify failing with kid errors: token header must include kid; JWKS endpoint must expose matching key.
  • Bearer prefix issues: node trims Bearer automatically, but malformed token format still returns invalid.
  • Issuer/audience mismatch: verify may pass signature but fail claim checks; inspect error output for exact mismatch.
  • Using decode for access control: decode does not verify signature. Use verify for trust decisions.