News KrakenD Enterprise v2.6 released with OpenTelemetry, FIPS-140, gRPC server and more

Community Documentation

Recent changes

You are viewing a previous version of KrakenD Community Edition (v1.3) , go to the latest version

JSON Web Tokens overview

Document updated on Nov 3, 2018

The JSON Web Token specification is an industry standard to represent claims securely between two parties. The JWT is an encoded JSON object that contains key-value pairs of attributes that are signed by a trusted authority.

When JWT shields a specific set of endpoints, requests to the API gateway must provide a token. Verification of the token takes place in every request, including the check of the signature and optionally the assurance that its issuer, roles, and audience are sufficient to access the endpoint. No external access is needed other than the initial load of the JWK url to validate tokens.

Only in the case that the token is valid and passes all the checks, the user is authorized to access the endpoint and continue with the request.

New to JWT?
If you are not familiar with JWT yet, read the “Introduction to JSON Web Tokens

KrakenD JWT implementations

KrakenD implements both JWT signing and JWT validation models to protect endpoints from undesired users that are not entitled to use the information, reinforcing security.

  • Sign tokens when you have no identity server yet (like a classic monolithic application with a /login endpoint) and let KrakenD take care of the token signing with the private key.
  • Validate tokens issued by a third party or the JWT signing middleware, ensuring their integrity and proper claims.

A stateless system like KrakenD does not issue tokens, this is the responsibility of your backend or identity server.

Scarf

Unresolved issues?

The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.

See all support channels