- Syvizo API Management Platform
- Overview
- Getting Started
- Manage Users and Accesses
- Design APIs
- Publish API
- Collaborate
- Validate APIs
- Manage API Flows
- Flow Management
- API Flow Manager
- Policies
- Traffic Management
- Security
- Transformation
- Extension
- Insights
Verify JWT Token
When to use
Use this policy when you want to verify a JWT token sent in the request
Details
The Signature Verification policy validates the signature of a received JWT (JSON Web Token) from clients or other systems. It ensures the integrity and authenticity of the token. Additionally, this policy extracts the claims from the JWT and stores them as context variables. Subsequent policies or conditions can then utilize these values for making authorization or routing decisions. For a more comprehensive introduction, refer to the JWS (JSON Web Signature) and JWT policies overview.
During execution, the policy verifies the JWT's signature and checks its validity based on expiry and not-before times (if specified). Optionally, specific claim values can also be verified, such as the subject, issuer, audience, or additional claims.
If the JWT is successfully verified and deemed valid, all claims within the JWT are extracted into context variables. These variables can be accessed by subsequent policies or conditions for further processing, and the request is allowed to proceed. However, if the JWT signature cannot be verified or if the JWT is invalid due to timestamps, all processing is halted, and an error response is returned.
To learn about the parts of a JWT and how they are encrypted and signed, refer to RFC7519.
Configuration
The configuration fields for the policy are:
[* Indicates a mandatory field]
Name *: Display name of the policy
Description: Description of policy
Enabled: Flag to indicate if the policy is enabled. If this field is not checked, the policy will be ignored at runtime and any fields from its output will contain a default initial value
Continue on Error: Flag to indicate that the flow should continue even if this policy throws an error
Algorithm: Specifies the algorithm to be used for token signature
Subject: The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL.
Issuer: This value identifies the principal that issued the JWT. The processing of this claim is generally application specific. This value is a case-sensitive string containing a StringOrURI value.
Input fields
secretKey: The key should be same as the one used to sign the token
claims: A set of name value pairs the denote additional claims. This value
Output fields
isValid: Returns a boolean true if token is valid and access is allowed to the request