Skip to content
|
Plugin Hub
github-edit-pageEdit this page
report-issueReport an issue
header icon

Basic config examples for JWT

By Kong Inc.

Basic configuration examples

The following examples provide some typical configurations for enabling the jwt plugin on a service.

Make the following request:

curl -X POST http://localhost:8001/services/{serviceName|Id}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
  "name": "jwt",
  "config": {
    "uri_param_names": [
      "paramName_2.2.x"
    ]
  }
}
    '

Replace SERVICE_NAME|ID with the id or name of the service that this plugin configuration will target.

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

curl -X POST http://localhost:8001/consumers -d username=alex

Create a jwt credential attached to this consumer:

curl -X POST http://localhost:8001/consumers/alex/jwt \
  -d algorithm=HS256 \
  -d secret=this_is_a_super_secret_value

You can now authenticate as alex when making your request. See the documentation for more information.

Make the following request, substituting your own access token, region, control plane ID, and service ID:

curl -X POST \
https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"name":"jwt","config":{"uri_param_names":["paramName_2.2.x"]}}'

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

curl -X POST https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers -d username=alex

Create a jwt credential attached to this consumer:

curl -X POST https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/alex/jwt \
  -d algorithm=HS256 \
  -d secret=this_is_a_super_secret_value

You can now authenticate as alex when making your request. See the documentation for more information.

First, create a KongPlugin resource:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: jwt-example
plugin: jwt
config:
  uri_param_names:
  - paramName_2.2.x
" | kubectl apply -f -

Next, apply the KongPlugin resource to an ingress by annotating the service as follows:

kubectl annotate service SERVICE_NAME konghq.com/plugins=jwt-example

Replace SERVICE_NAME with the name of the service that this plugin configuration will target. You can see your available ingresses by running kubectl get service.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

As this is an auth plugin, you need to create a credential for the plugin. Create a secret with the following command:

echo '
apiVersion: v1
kind: Secret
metadata:
  name: alex-jwt
  labels:
    konghq.com/credential: jwt
stringData:
  algorithm: HS256
  secret: this_is_a_super_secret_value
' | kubectl apply -f -

Finally, create a consumer that will use this credential:

echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: alex
  annotations:
    kubernetes.io/ingress.class: kong
username: alex
credentials:
- alex-jwt
" | kubectl apply -f -

You can now authenticate as alex when making your request. See the documentation for more information.

Add this section to your declarative configuration file:

plugins:
- name: jwt
  service: SERVICE_NAME|ID
  config:
    uri_param_names:
    - paramName_2.2.x

Replace SERVICE_NAME|ID with the id or name of the service that this plugin configuration will target.

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

consumers:
- username: alex
  jwt_secrets:
  - algorithm: HS256
    secret: this_is_a_super_secret_value

Add the above to your declarative config and apply it to your running Kong instance.

You can now authenticate as alex when making your request. See the documentation for more information.

Prerequisite: Configure your Personal Access Token 
terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "kpat_YOUR_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_jwt" "my_jwt" {
  enabled = true

  config = {
    uri_param_names = ["paramName_2.2.x"]
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

resource "konnect_gateway_consumer" "alex" {
  username         = "alex"
  custom_id        = "alex-custom"
  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Create a jwt credential attached to this consumer:

resource "konnect_gateway_jwt" "my_jwt" {
  algorithm = "HS256"
  secret = "this_is_a_super_secret_value"

  consumer_id      = konnect_gateway_consumer.alex.id
  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

The following examples provide some typical configurations for enabling the jwt plugin on a route.

Make the following request:

curl -X POST http://localhost:8001/routes/{routeName|Id}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
  "name": "jwt",
  "config": {
    "uri_param_names": [
      "paramName_2.2.x"
    ]
  }
}
    '

Replace ROUTE_NAME|ID with the id or name of the route that this plugin configuration will target.

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

curl -X POST http://localhost:8001/consumers -d username=alex

Create a jwt credential attached to this consumer:

curl -X POST http://localhost:8001/consumers/alex/jwt \
  -d algorithm=HS256 \
  -d secret=this_is_a_super_secret_value

You can now authenticate as alex when making your request. See the documentation for more information.

Make the following request, substituting your own access token, region, control plane ID, and route ID:

curl -X POST \
https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"name":"jwt","config":{"uri_param_names":["paramName_2.2.x"]}}'

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

curl -X POST https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers -d username=alex

Create a jwt credential attached to this consumer:

curl -X POST https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/alex/jwt \
  -d algorithm=HS256 \
  -d secret=this_is_a_super_secret_value

You can now authenticate as alex when making your request. See the documentation for more information.

First, create a KongPlugin resource:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: jwt-example
plugin: jwt
config:
  uri_param_names:
  - paramName_2.2.x
" | kubectl apply -f -

Next, apply the KongPlugin resource to an ingress by annotating the ingress as follows:

kubectl annotate ingress INGRESS_NAME konghq.com/plugins=jwt-example

Replace INGRESS_NAME with the name of the ingress that this plugin configuration will target. You can see your available ingresses by running kubectl get ingress.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

As this is an auth plugin, you need to create a credential for the plugin. Create a secret with the following command:

echo '
apiVersion: v1
kind: Secret
metadata:
  name: alex-jwt
  labels:
    konghq.com/credential: jwt
stringData:
  algorithm: HS256
  secret: this_is_a_super_secret_value
' | kubectl apply -f -

Finally, create a consumer that will use this credential:

echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: alex
  annotations:
    kubernetes.io/ingress.class: kong
username: alex
credentials:
- alex-jwt
" | kubectl apply -f -

You can now authenticate as alex when making your request. See the documentation for more information.

Add this section to your declarative configuration file:

plugins:
- name: jwt
  route: ROUTE_NAME|ID
  config:
    uri_param_names:
    - paramName_2.2.x

Replace ROUTE_NAME|ID with the id or name of the route that this plugin configuration will target.

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

consumers:
- username: alex
  jwt_secrets:
  - algorithm: HS256
    secret: this_is_a_super_secret_value

Add the above to your declarative config and apply it to your running Kong instance.

You can now authenticate as alex when making your request. See the documentation for more information.

Prerequisite: Configure your Personal Access Token 
terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "kpat_YOUR_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_jwt" "my_jwt" {
  enabled = true

  config = {
    uri_param_names = ["paramName_2.2.x"]
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

resource "konnect_gateway_consumer" "alex" {
  username         = "alex"
  custom_id        = "alex-custom"
  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Create a jwt credential attached to this consumer:

resource "konnect_gateway_jwt" "my_jwt" {
  algorithm = "HS256"
  secret = "this_is_a_super_secret_value"

  consumer_id      = konnect_gateway_consumer.alex.id
  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

A plugin which is not associated to any service, route, consumer, or consumer group is considered global, and will be run on every request.

  • In self-managed Kong Gateway Enterprise, the plugin applies to every entity in a given workspace.
  • In self-managed Kong Gateway (OSS), the plugin applies to your entire environment.
  • In Konnect, the plugin applies to every entity in a given control plane.

Read the Plugin Reference and the Plugin Precedence sections for more information.

The following examples provide some typical configurations for enabling the JWT plugin globally.

Make the following request:

curl -X POST http://localhost:8001/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
  "name": "jwt",
  "config": {
    "uri_param_names": [
      "paramName_2.2.x"
    ]
  }
}
    '

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

curl -X POST http://localhost:8001/consumers -d username=alex

Create a jwt credential attached to this consumer:

curl -X POST http://localhost:8001/consumers/alex/jwt \
  -d algorithm=HS256 \
  -d secret=this_is_a_super_secret_value

You can now authenticate as alex when making your request. See the documentation for more information.

Make the following request, substituting your own access token, region, and control plane ID:

curl -X POST \
https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"name":"jwt","config":{"uri_param_names":["paramName_2.2.x"]}}'

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

curl -X POST https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers -d username=alex

Create a jwt credential attached to this consumer:

curl -X POST https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/alex/jwt \
  -d algorithm=HS256 \
  -d secret=this_is_a_super_secret_value

You can now authenticate as alex when making your request. See the documentation for more information.

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-jwt>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: "true"
config:
  uri_param_names:
  - paramName_2.2.x
plugin: jwt

As this is an auth plugin, you need to create a credential for the plugin. Create a secret with the following command:

echo '
apiVersion: v1
kind: Secret
metadata:
  name: alex-jwt
  labels:
    konghq.com/credential: jwt
stringData:
  algorithm: HS256
  secret: this_is_a_super_secret_value
' | kubectl apply -f -

Finally, create a consumer that will use this credential:

echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: alex
  annotations:
    kubernetes.io/ingress.class: kong
username: alex
credentials:
- alex-jwt
" | kubectl apply -f -

You can now authenticate as alex when making your request. See the documentation for more information.

Add a plugins entry in the declarative configuration file:

plugins:
- name: jwt
  config:
    uri_param_names:
    - paramName_2.2.x

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

consumers:
- username: alex
  jwt_secrets:
  - algorithm: HS256
    secret: this_is_a_super_secret_value

Add the above to your declarative config and apply it to your running Kong instance.

You can now authenticate as alex when making your request. See the documentation for more information.

Prerequisite: Configure your Personal Access Token 
terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "kpat_YOUR_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_jwt" "my_jwt" {
  enabled = true

  config = {
    uri_param_names = ["paramName_2.2.x"]
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

As this is an auth plugin, you need to create a consumer and attach a credential to it.

Create a consumer:

resource "konnect_gateway_consumer" "alex" {
  username         = "alex"
  custom_id        = "alex-custom"
  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Create a jwt credential attached to this consumer:

resource "konnect_gateway_jwt" "my_jwt" {
  algorithm = "HS256"
  secret = "this_is_a_super_secret_value"

  consumer_id      = konnect_gateway_consumer.alex.id
  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}