Overview
JWT, or JSON Web Token, is a compact and self-contained method for transmitting information between parties as a JSON object. JWTs are used to control the access to APIs and API Gateways.
Before you begin¶
Good to know
If you switch from the default configuration to JSON Web Tokens, all API keys generated in the API Portal will be turned off.
Every consumer in Traefik Hub has a user account. The user account identifies the user, and the user account settings determine which APIs and API Portal the user can access.
In Traefik Hub, every user needs to be part of a user group.
It is not possible to assign an individual user to an API, however you can assign a user to a group as the only member.
When a user is a member of multiple groups, the user will inherit the permission level of the group with the most access.
Check the tutorial about user management.
JWT validation¶
JWT claims are statements in key-value pair format about an entity (typically, the user) and additional data that are digitally signed to ensure their integrity.
Read more
- Learn more about JWT claims.
For validation, Traefik Hub expects to find the following claims in the payload.
Claims¶
| Claim | Description | Example |
|---|---|---|
Groups |
Name of the claim that contains the user groups. To consume APIs, a user needs to be part of a user group. For more info, please check the APIAccess CRD and our tutorial about user management. |
groups |
User ID |
Name of the claim that contains the user ID. | sub |
The following claims are used for metrics to provide the same labels as with API keys.
| Claim | Example | |
|---|---|---|
User e-mail |
Name of the claim that contains the user e-mail. | |
Token name |
Name of the claim that contains the name of the token. | azp |
What's next¶
- Learn how to use JWT validation with Keycloak.
- See how to validate JWT with Okta.