Skip to main content
The JWT Token Validator guardrail provides comprehensive JWT (JSON Web Token) validation and authentication for the Portkey Gateway. It supports signature verification, claim validation, and custom business logic rules.

Features

  • Signature Verification: Validates JWT signatures using JWKS (JSON Web Key Set)
  • Inline JWKS Support: Provide JWKS directly without requiring external URI
  • Token Introspection: Validates tokens via external introspection endpoint (RFC 7662)
  • Required Claims: Ensures specific claims are present in the token
  • Claim Value Validation: Validates claim values with flexible matching strategies
  • Header-Payload Matching: Ensures consistency between header and payload values
  • JWKS Caching: Efficient JWKS caching to reduce external calls (URI-based)
  • Introspection Caching: Cache introspection results with automatic expiry validation
  • Multi-tenant Support: Validate tenant IDs and other organizational claims
  • Role-Based Access: Validate user groups, roles, and permissions
  • OAuth2/OIDC Support: Standard audience, issuer, and scope validation
  • Claim Extraction: Extract JWT claims and inject them into request context as headers

Validation Methods

The guardrail supports three validation methods:

Configuration Parameters

Core Parameters

*Either jwks, jwksUri, or introspectEndpoint must be provided.

JWKS Validation Parameters

When using jwks or jwksUri:

Token Introspection Parameters

When using introspectEndpoint:

Claim Validation Parameters

Match Types

The claimValues parameter supports different match types for flexible validation:

exact (default)

The claim value must exactly equal the expected value. Requires single-value string claim and single expected value. Use cases: iss, sub, client_id - single exact value validation

contains

Array/string must contain at least one of the expected values (OR logic). Use this for array claims. Use cases: aud (JWT audience arrays), groups, roles, permissions

containsAll

Array/string must contain ALL of the expected values (AND logic). Use this when ALL values are required. Use cases: scope (requires ALL specified scopes), required permissions

regex

Value must match the regex pattern. Use cases: Email domain validation, pattern matching

Quick Reference

Usage Examples

Basic JWT Validation (Inline JWKS)

Basic JWT Validation (JWKS URI)

Token Introspection with Caching

Required Claims Validation

Issuer and Audience Validation

Group/Role Validation (OR logic)

Scope Validation (AND logic)

Multi-Tenant Validation

Email Domain Validation

Claim Extraction to Context

Extracts validated JWT claims and injects them as headers for downstream services:
Result: Claims are extracted and added as headers:
  • x-jwt-sub: user-123
  • x-jwt-email: user@example.com
  • x-jwt-tenant-id: tenant-456
  • x-jwt-groups: admin,developer

Comprehensive Production Setup

Response Format

Success Response

Failure Response

Token Format

The guardrail expects JWT tokens in the following format:
Or with a custom header:
The Bearer prefix is optional and will be automatically stripped if present.

Common Patterns

API Gateway Authentication

Admin-Only Access

Tenant Isolation

Service-to-Service Authentication

Best Practices

Security

  • Always validate the issuer (iss) to prevent token substitution attacks
  • Validate the audience (aud) to ensure tokens are intended for your API
  • Use appropriate clockTolerance (5-10 seconds) to handle clock skew
  • Set reasonable maxTokenAge to limit token lifetime
  • Enable headerPayloadMatch for kid to prevent key confusion attacks

Performance

  • Set appropriate cacheMaxAge (default 24h) to reduce JWKS fetches
  • Inline JWKS provides the fastest validation (no external calls)
  • Use introspection caching when using token introspection endpoint

Multi-Tenancy

  • Always include tenant_id in requiredClaims
  • Validate tenant_id values explicitly
  • Consider adding tenant-specific JWKS URIs for larger deployments

Claim Extraction

  • Only extract claims needed by downstream services
  • Use consistent claimPrefix across your infrastructure
  • Be mindful of header size limits when extracting large claims
  • Extracted claims are only added if validation succeeds

Troubleshooting

Token Not Found

Ensure the token is sent in the correct header (Authorization by default).

Invalid Signature

Verify your JWKS URI is correct and the token was signed by the expected issuer.

Missing Claims

Ensure your auth provider includes these claims in the token.

Invalid Claim Values

Check that the claim values in your token match the expected values in your configuration.

Clock Skew Issues

Increase clockTolerance to handle clock differences between systems.
Last modified on April 2, 2026