# Authentication

## Default behavior

The default behavior of the gateway depends on whether any authentication is configured or not. When there isn't, the gateway will provide an anonymous token for each request.
On the other hand, if there is, whether it's an extension or the deprecated embedded jwt, the gateway will deny access if the user could not be authenticated.
This can be controlled with the following:

```toml
[authentication]
# If the client could not be authenticated
# Deny access
default = "deny"
# or grant an anonymous token
defualt = "anonymous"
```

## Extensions

Authentication extensions are available in the [Marketplace](/extensions):

- [JWT](https://grafbase.com/extensions/jwt): Validates a JWT token

## Deprecated embedded JWT

The Grafbase Gateway has an embedded JWT authentication implementation, with the same configuration as the [JWT](/extensions/jwt) extension.

```toml
[[authentication.providers]]

[authentication.providers.jwt]
name = "my-authenticator"

[authentication.providers.jwt.jwks]
url = "https://example.com/.well-known/jwks.json"
issuer = "example.com"
audience = "my-project"
poll_interval = 60

[authentication.providers.jwt.header]
name = "Authorization"
value_prefix = "Bearer "
```

- The `name` field specifies the name of the authenticator.
- The `jwks` section specifies the URL of the JWKS endpoint, the issuer, and the audience. The audience can be an array, in which case any audience in the JWT must match any of the audiences in the array. The `poll_interval` specifies how often the JWKS endpoint should be polled for updates.
- The `header` section specifies the header name and value prefix for the JWT token.

The `poll_interval` field is a [duration](/docs/reference/gateway/configuration/durations).

Read more about [JWT authentication](/docs/features/security/jwt-authentication).