Parameters
See plugin common configurations for configuration options available to all plugins.
Credentials
The following are plugin attributes available for configurations on credentials.
key
string
required
A unique key that identifies the credential for a consumer.
secret
string
Shared key used to sign and verify the JWT when the algorithm is symmetric. Required when using
HS256
,HS384
, orHS512
as the algorithm.The secret is encrypted with AES before saving to etcd. You can also keep secrets in a secret manager, such as HashiCorp Vault's KV secrets engine. See secrets for more details.
public_key
string
RSA or ECDSA public key. Required if the
algorithm
isRS256
,ES256
,RS384
,RS512
,ES256
,ES384
,ES512
,PS256
,PS384
,PS512
, orEdDSA
.algorithm
string
default:
HS256
vaild vaule:
HS256
,HS384
,HS512
,RS256
,RS384
,RS512
,ES256
,ES384
,ES512
,PS256
,PS384
,PS512
,EdDSA
Encryption algorithm.
Currently APISIX only supports
HS256
,HS512
,RS256
, andES256
. Enterprise supports all algorithms.exp
integer
default:
86400
vaild vaule:
greater or equal to 1
Expiry time of the token in seconds.
If you are not using APISIX to sign the JWT, this parameter is ignored and you should specify the expiration in the payload when signing the JWT.
base64_secret
boolean
default:
false
If true, encode the secret with base64.
lifetime_grace_period
integer
default:
0
vaild vaule:
greater or equal to 0
Grace period in seconds. Used to account for clock skew between the server generating the JWT and the server validating the JWT.
Routes or Services
The following are plugin attributes available for configurations on routes or services.
header
string
default:
authorization
The header to get the token from.
query
string
default:
jwt
The query string to get the token from. Lower priority than header.
cookie
string
default:
jwt
The cookie to get the token from. Lower priority than query.
hide_credentials
boolean
default:
false
If true, do not pass the header, query, or cookie with JWT to upstream services.
anonymous_consumer
string
Anonymous consumer name (Enterprise feature). If configured, allow anonymous users to bypass the authentication. See Rate Limit with Anonymous Consumer for more details.
claims_to_verify
array[string]
default:
["exp", "nbf"]
vaild vaule:
combination of
exp
andnbf
This parameter is currently available only in Enterprise.
Specify the JWT claim(s) to verify, to ensure that the token is used within its allowed timeframe. Note, that this is not the claims required to be presented in the payload, but the payload to verify, if presented.
By default, APISIX requires one of the
exp
andnbf
to be presented in the JWT payload, while API7 Enterprise does not require any.key_claim_name
string
default:
key
This parameter is currently available only in Enterprise.
The claim in the JWT payload that identifies the associated secret, such as
iss
.