# Authentication

The gateway supports JWT authentication, configurable through the TOML file:

```toml
[[authentication.providers]]

[authentication.providers.jwt]
name = "my-authenticator"

[authentication.providers.jwt.jwks]
url = "https://example.com/.well-known/jwks.json"
issuer = "example.com"
audience = "my-project"
poll_interval = 60

[authentication.providers.jwt.header]
name = "Authorization"
value_prefix = "Bearer "
```

- The `name` field specifies the name of the authenticator.
- The `jwks` section specifies the URL of the JWKS endpoint, the issuer, and the audience. The audience can be an array, in which case any audience in the JWT must match any of the audiences in the array. The `poll_interval` specifies how often the JWKS endpoint should be polled for updates.
- The `header` section specifies the header name and value prefix for the JWT token.

The `poll_interval` field is a [duration](/docs/reference/gateway/configuration/durations).

Read more about [JWT authentication](/docs/features/security/jwt-authentication).

## Extensions

Alternatively you can use an extension as an authentication provider. Currently, only the JWT extension is supported. Read more about [creating an authentication extension](https://docs.rs/grafbase-sdk/latest/grafbase_sdk/#authentication-example), and the [example JWT authentication extension](https://github.com/grafbase/grafbase/tree/main/extensions/jwt).