Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

Credentials

The following are plugin attributes available for configurations on credentials.

  • key

    string

    required

    A unique key that identifies the credential for a consumer.

  • secret

    string

    Shared key used to sign and verify the JWT when the algorithm is symmetric. Required when using HS256, HS384, or HS512 as the algorithm.

    The secret is encrypted with AES before saving to etcd. You can also keep secrets in a secret manager, such as HashiCorp Vault's KV secrets engine. See secrets for more details.

  • public_key

    string

    RSA or ECDSA public key. Required if the algorithm is RS256, ES256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, or EdDSA.

  • algorithm

    string

    default: HS256

    vaild vaule:

    HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, EdDSA

    Encryption algorithm.

    Currently APISIX only supports HS256, HS512, RS256, and ES256. Enterprise supports all algorithms.

  • exp

    integer

    default: 86400

    vaild vaule:

    greater or equal to 1

    Expiry time of the token in seconds.

    If you are not using APISIX to sign the JWT, this parameter is ignored and you should specify the expiration in the payload when signing the JWT.

  • base64_secret

    boolean

    default: false

    If true, encode the secret with base64.

  • lifetime_grace_period

    integer

    default: 0

    vaild vaule:

    greater or equal to 0

    Grace period in seconds. Used to account for clock skew between the server generating the JWT and the server validating the JWT.

Routes or Services

The following are plugin attributes available for configurations on routes or services.

  • header

    string

    default: authorization

    The header to get the token from.

  • query

    string

    default: jwt

    The query string to get the token from. Lower priority than header.

  • cookie

    string

    default: jwt

    The cookie to get the token from. Lower priority than query.

  • hide_credentials

    boolean

    default: false

    If true, do not pass the header, query, or cookie with JWT to upstream services.

  • anonymous_consumer

    string

    Anonymous consumer name (Enterprise feature). If configured, allow anonymous users to bypass the authentication. See Rate Limit with Anonymous Consumer for more details.

  • claims_to_verify

    array[string]

    default: ["exp", "nbf"]

    vaild vaule:

    combination of exp and nbf

    This parameter is currently available only in Enterprise.

    Specify the JWT claim(s) to verify, to ensure that the token is used within its allowed timeframe. Note, that this is not the claims required to be presented in the payload, but the payload to verify, if presented.

    By default, APISIX requires one of the exp and nbf to be presented in the JWT payload, while API7 Enterprise does not require any.

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud
API7 Enterprise
API Portal
Roadmap

Open Source

Apache APISIX
K8s Ingress Controller
wasm-nginx-module
Contributor Graph

Resources

Blog
Documentation
NGINX + Lua
APISIX vs Kong
APISIX vs NGINX

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation