The JSON Web Token specification is an industry standard to represent claims securely between two parties. The JWT is an encoded JSON object that contains key-value pairs of attributes that are signed by a trusted authority.
When JWT shields a specific set of endpoints, requests to the API gateway must provide a token. Verification of the token takes place in every request, including the check of the signature and optionally the assurance that its issuer, roles, and audience are sufficient to access the endpoint.
Only in the case that the token is valid and passes all the checks, the user is authorized to access the endpoint and continue with the request.
New to JWT?
If you are not familiar with JWT yet, read the “Introduction to JSON Web Tokens“
KrakenD JWT implementations
- Sign tokens when you have an internal backend generating tokens and want KrakenD to sign them with the private key.
- Validate tokens issued by a third party, ensuring their integrity and proper claims.
Nevertheless, a stateless system like KrakenD does not issue tokens.