Skip to main content

Documentation Index

Fetch the complete documentation index at: https://engineering.unkey.com/llms.txt

Use this file to discover all available pages before exploring further.

JWTAuth validates Bearer JSON Web Tokens using JWKS, an OIDC issuer, or a static public key, and produces a principal on success.
JWTAuth is defined in the policy schema but is not executed by the sentinel engine yet.

Fields

jwks_uri
string
URL of the JWKS endpoint for token verification.
oidc_issuer
string
OIDC issuer URL. Sentinel discovers the JWKS URI from the issuer’s .well-known/openid-configuration.
public_key_pem
bytes
PEM-encoded public key for token verification. Use this for static key pairs.
issuer
string
Required iss claim value.
audiences
string[]
Allowed aud claim values.
algorithms
string[]
Allowed signing algorithms.
subject_claim
string
Claim used as the principal subject. Defaults to sub.
allow_anonymous
bool
When true, requests without a token are allowed through without setting a principal.
clock_skew_ms
int64
Tolerance for time-based claim validation (exp, nbf, iat), in milliseconds.
jwks_cache_ms
int64
How long to cache the JWKS response, in milliseconds.

Examples

{
  "policies": [
    {
      "id": "jwt-auth",
      "name": "Validate JWTs via OIDC",
      "enabled": true,
      "match": [],
      "jwtauth": {
        "oidc_issuer": "https://auth.example.com",
        "audiences": ["api.example.com"],
        "algorithms": ["RS256"]
      }
    }
  ]
}