JWTAuth validates Bearer JSON Web Tokens using JWKS, an OIDC issuer, or a static public key, and produces a principal on success.
JWTAuth is defined in the policy schema but is not executed by the sentinel engine yet.
Fields
URL of the JWKS endpoint for token verification.
OIDC issuer URL. Sentinel discovers the JWKS URI from the issuer’s .well-known/openid-configuration.
PEM-encoded public key for token verification. Use this for static key pairs.
Required iss claim value.
Allowed aud claim values.
Allowed signing algorithms.
Claim used as the principal subject. Defaults to sub.
Claims to copy into the principal’s claims map.
When true, requests without a token are allowed through without setting a principal.
Tolerance for time-based claim validation (exp, nbf, iat), in milliseconds.
How long to cache the JWKS response, in milliseconds.
Examples
OIDC issuer
JWKS URI
Optional auth
{
"policies": [
{
"id": "jwt-auth",
"name": "Validate JWTs via OIDC",
"enabled": true,
"match": [],
"jwtauth": {
"oidc_issuer": "https://auth.example.com",
"audiences": ["api.example.com"],
"algorithms": ["RS256"],
"forward_claims": ["email", "org_id"]
}
}
]
}
{
"policies": [
{
"id": "jwt-auth",
"name": "Validate JWTs via JWKS",
"enabled": true,
"match": [],
"jwtauth": {
"jwks_uri": "https://auth.example.com/.well-known/jwks.json",
"issuer": "https://auth.example.com",
"audiences": ["api.example.com"],
"algorithms": ["RS256"],
"jwks_cache_ms": 3600000
}
}
]
}
{
"policies": [
{
"id": "jwt-auth-optional",
"name": "Optional JWT auth",
"enabled": true,
"match": [],
"jwtauth": {
"oidc_issuer": "https://auth.example.com",
"audiences": ["api.example.com"],
"allow_anonymous": true,
"forward_claims": ["sub", "email"]
}
}
]
}
