JWT Authentication

The federated graph allows public access by default. Subgraphs must check if users have proper credentials. You can also configure an authorization provider to validate user credentials before executing requests. You can configure multiple authorization providers, but only one provider needs to authorize the user.

The gateway validates JWT (RFC 7519) tokens and verifies signatures using JWKs (RFC 7517) from jwks.url. The validation follows these steps:

1. One of the specified JWK must validate the JWT signature.
2. If present, the exp claim must indicate a future time, with a 60-second leeway.
3. If present, the nbf claim must indicate a past time, with a 60-second leeway.
4. If both are present, the iss claim must match the specified issuer.
5. If both are present, the aud claim must match the specified audience. For array-type aud claims, audience must be an array element.

We strongly recommend that you specify the audience (aud claim), even though it's not required. If you don't specify an audience, your system will accept JWTs intended for other projects.

Read more on enabling JWT authentication in the gateway.