Features
- Signature Verification: Validates JWT signatures using JWKS (JSON Web Key Set)
- Inline JWKS Support: Provide JWKS directly without requiring external URI
- Token Introspection: Validates tokens via external introspection endpoint (RFC 7662)
- Required Claims: Ensures specific claims are present in the token
- Claim Value Validation: Validates claim values with flexible matching strategies
- Header-Payload Matching: Ensures consistency between header and payload values
- JWKS Caching: Efficient JWKS caching to reduce external calls (URI-based)
- Introspection Caching: Cache introspection results with automatic expiry validation
- Multi-tenant Support: Validate tenant IDs and other organizational claims
- Role-Based Access: Validate user groups, roles, and permissions
- OAuth2/OIDC Support: Standard audience, issuer, and scope validation
- Claim Extraction: Extract JWT claims and inject them into request context as headers
Validation Methods
The guardrail supports three validation methods:Configuration Parameters
Core Parameters
*Either
jwks, jwksUri, or introspectEndpoint must be provided.
JWKS Validation Parameters
When usingjwks or jwksUri:
Token Introspection Parameters
When usingintrospectEndpoint:
Claim Validation Parameters
Match Types
TheclaimValues parameter supports different match types for flexible validation:
exact (default)
The claim value must exactly equal the expected value. Requires single-value string claim and single expected value.
Use cases: iss, sub, client_id - single exact value validation
contains
Array/string must contain at least one of the expected values (OR logic). Use this for array claims.
Use cases: aud (JWT audience arrays), groups, roles, permissions
containsAll
Array/string must contain ALL of the expected values (AND logic). Use this when ALL values are required.
Use cases: scope (requires ALL specified scopes), required permissions
regex
Value must match the regex pattern.
Use cases: Email domain validation, pattern matching
Quick Reference
Usage Examples
Basic JWT Validation (Inline JWKS)
Basic JWT Validation (JWKS URI)
Token Introspection with Caching
Required Claims Validation
Issuer and Audience Validation
Group/Role Validation (OR logic)
Scope Validation (AND logic)
Multi-Tenant Validation
Email Domain Validation
Claim Extraction to Context
Extracts validated JWT claims and injects them as headers for downstream services:x-jwt-sub: user-123x-jwt-email: user@example.comx-jwt-tenant-id: tenant-456x-jwt-groups: admin,developer
Comprehensive Production Setup
Response Format
Success Response
Failure Response
Token Format
The guardrail expects JWT tokens in the following format:Bearer prefix is optional and will be automatically stripped if present.
Common Patterns
API Gateway Authentication
Admin-Only Access
Tenant Isolation
Service-to-Service Authentication
Best Practices
Security
- Always validate the issuer (
iss) to prevent token substitution attacks - Validate the audience (
aud) to ensure tokens are intended for your API - Use appropriate
clockTolerance(5-10 seconds) to handle clock skew - Set reasonable
maxTokenAgeto limit token lifetime - Enable
headerPayloadMatchforkidto prevent key confusion attacks
Performance
- Set appropriate
cacheMaxAge(default 24h) to reduce JWKS fetches - Inline JWKS provides the fastest validation (no external calls)
- Use introspection caching when using token introspection endpoint
Multi-Tenancy
- Always include
tenant_idinrequiredClaims - Validate
tenant_idvalues explicitly - Consider adding tenant-specific JWKS URIs for larger deployments
Claim Extraction
- Only extract claims needed by downstream services
- Use consistent
claimPrefixacross your infrastructure - Be mindful of header size limits when extracting large claims
- Extracted claims are only added if validation succeeds
Troubleshooting
Token Not Found
Authorization by default).
Invalid Signature
Missing Claims
Invalid Claim Values
Clock Skew Issues
clockTolerance to handle clock differences between systems.
