Help Center/ API Gateway/ API Reference/ Appendix/ Data Structure (Plugin Content Definition)/ JWTAuthContent

Updated on 2025-10-24 GMT+08:00

View PDF

JWTAuthContent

**Table 1** JWTAuthContent
Parameter	Mandatory	Type	Description
jwks_service	No	PluginJWTAuthJWKSService object	JWKS service address. Either jwks or jwks_service must be set. If both jwks and jwks_service are set, the gateway uses jwks_service. If jwks_service is not empty, the gateway periodically obtains the JWKS public key from the specified service address.
jwks	No	String	JWKS public key. Either jwks or jwks_service must be set. If both jwks and jwks_service are set, the gateway uses jwks_service. The JWKS public key for verifying tokens must be a JSON character string that complies with RFC specifications (https://www.rfc-editor.org/rfc/rfc7517). Max. size: 50 KB.
token_location	No	String	Location where the token can be set. The options are as follows: header: request header parameter query: request query parameter cookie: request cookie parameter The default value is header.
token_name	No	String	Token name. When the token location is header, the default value is Authorization. When the token location is query, the default value is access_token. When the token location is cookie, this parameter is mandatory. When the token location is header, this parameter is case-insensitive.
token_prefix	No	String	This parameter can be set when the token location is set to header. The prefix will be removed before the token is used for authentication. Default: Bearer.
token_expiration_tolerance	No	String	Clock skew allowed for verifying the token expiration. If the expiration time (exp) is set for the token in the payload, you can customize the clock skew (0-86400 seconds) for verifying whether the token expires. The unit is second. The default value is 0.
token_pass_through_enabled	No	Boolean	Whether the gateway can transparently transmit the original token to the backend. The default value is false.
carry_payload	No	PluginJWTAuthCarryPayload object	The gateway sets the original payload to the request header and transfers the request header to the backend.
missing_token_skip_auth_enabled	No	Boolean	Whether to allow direct access to the backend without JWT authentication when the request does not contain a token. The default value is false.
ignore_expiration_validation_enabled	No	Boolean	Whether the gateway can ignore the exp field value of the token. The default value is false.
claims_to_headers	No	Array of PluginJWTAuthClaimsToHeaders objects	The gateway will assign the values of the field (claim) in a payload to request headers of the specified names, and then transfer the headers to the backend.
blacklist	No	Array of PluginJWTAuthBlacklist objects	Blacklist configuration. The gateway performs blacklist verification on the value of the specified field (claim) in the payload. If the key-value pair corresponding to claim in the payload matches any rule in the blacklist, the request is rejected.

**Table 2** PluginJWTAuthJWKSService
Parameter	Mandatory	Type	Description
uri	Yes	String	URI for returning a JWKS public key in a response. The public key must be a JSON character string that complies with RFC specifications (https://www.rfc-editor.org/rfc/rfc7517). The gateway uses the GET method to request the URI. If the request protocol is not specified, HTTPS is used. The maximum size of the returned JWKS is 50 KB. This parameter is mandatory when jwks_service is not empty.
timeout	No	Integer	The max. duration for the gateway to request the JWKS service (1–60,000 ms) The unit is millisecond. The default value is 5000.
ttl	No	Integer	Duration for the gateway to cache the JWKS returned by the JWKS service. The value ranges from 600 to 86,400 seconds. The unit is second. The default value is 7200.
custom_host	No	String	Host header of the request for JWKS. By default, the original host header in the request is used.

**Table 3** PluginJWTAuthCarryPayload
Parameter	Mandatory	Type	Description
enabled	No	Boolean	Whether to transfer the payload parsed from a token to the backend. The default value is false.
header_name	No	String	Request header to which the payload parsed from a token will be written. This parameter is mandatory when enabled is set to true. This parameter is case-insensitive.

**Table 4** PluginJWTAuthClaimsToHeaders
Parameter	Mandatory	Type	Description
claim	Yes	String	Name of a specified field in the payload. Only the top-level field in the JSON structure of the payload is supported.
header	Yes	String	Name of a request header to forward to the backend.
is_override	No	Boolean	Whether to rewrite the header with the same name. If the value is true, the value will be overwritten if a request header with the same name exists. If the value is false, a request header with the same name will be added. The default value is true.

**Table 5** PluginJWTAuthBlacklist
Parameter	Mandatory	Type	Description
claim	Yes	String	Name of a specified field in the payload. Only the top-level field in the JSON structure of the payload is supported.
value	Yes	String	Requests will be rejected if the value of claim matches a field value here.

Parent topic: Data Structure (Plugin Content Definition)

Previous topic: OIDCAuthContent

Next topic: Change History

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.