Home / Kong Plugin Hub
Edit
Report

JWT

Overview Examples Configuration reference Changelog API reference

Configuration

configobject
Hide Child Parameters
anonymousstring

An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.

claims_to_verifyarray[string]

A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.

Allowed values:expnbf

cookie_namesarray[string]

A list of cookie names that Kong will inspect to retrieve JWTs.

Default:[]

header_namesarray[string]

A list of HTTP header names that Kong will inspect to retrieve JWTs.

Default:authorization

key_claim_namestring

The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.

Default:iss

maximum_expirationnumber

A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.

Default:0

>= 0<= 31536000

realmstring

When authentication fails the plugin sends WWW-Authenticate header with realm attribute value.

run_on_preflightboolean

A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.

Default:true

secret_is_base64boolean

If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.

Default:false

uri_param_namesarray[string]

A list of querystring parameters that Kong will inspect to retrieve JWTs.

Default:jwt

protocolsarray[string]

A set of strings representing HTTP protocols.

Allowed values:grpcgrpcshttphttps

Default:grpc, grpcs, http, https

routeobject

If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring
serviceobject

If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring

Did this doc help?

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support