Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

Credentials

The following are plugin attributes available for configurations on credentials.

  • key

    string


    required


    A unique key that identifies the credential for a consumer.

  • secret

    string


    Shared key used to sign and verify the JWT when the algorithm is symmetric. Required when using HS256, HS384, or HS512 as the algorithm.

    The secret is encrypted with AES before saving to etcd. You can also keep secrets in a secret manager, such as HashiCorp Vault's KV secrets engine. See secrets for more details.

  • public_key

    string


    RSA or ECDSA public key. Required if the algorithm is RS256, ES256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, or EdDSA.

  • algorithm

    string


    default: HS256


    vaild vaule:

    HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, EdDSA


    Encryption algorithm.

    Currently APISIX only supports HS256, HS512, RS256, and ES256. Enterprise supports all algorithms.

  • exp

    integer


    default: 86400


    vaild vaule:

    greater or equal to 1


    Expiry time of the token in seconds.

    If you are not using APISIX to sign the JWT, this parameter is ignored and you should specify the expiration in the payload when signing the JWT.

  • base64_secret

    boolean


    default: false


    If true, encode the secret with base64.

  • lifetime_grace_period

    integer


    default: 0


    vaild vaule:

    greater or equal to 0


    Grace period in seconds. Used to account for clock skew between the server generating the JWT and the server validating the JWT.

Routes or Services

The following are plugin attributes available for configurations on routes or services.

  • header

    string


    default: authorization


    The header to get the token from.

  • query

    string


    default: jwt


    The query string to get the token from. Lower priority than header.

  • cookie

    string


    default: jwt


    The cookie to get the token from. Lower priority than query.

  • hide_credentials

    boolean


    default: false


    If true, do not pass the header, query, or cookie with JWT to upstream services.

  • anonymous_consumer

    string


    Anonymous consumer name (Enterprise feature). If configured, allow anonymous users to bypass the authentication. See Rate Limit with Anonymous Consumer for more details.

  • claims_to_verify

    array[string]


    default: ["exp", "nbf"]


    vaild vaule:

    combination of exp and nbf


    This parameter is currently available only in Enterprise.

    Specify the JWT claim(s) to verify, to ensure that the token is used within its allowed timeframe. Note, that this is not the claims required to be presented in the payload, but the payload to verify, if presented.

    By default, APISIX requires one of the exp and nbf to be presented in the JWT payload, while API7 Enterprise does not require any.

  • key_claim_name

    string


    default: key


    This parameter is currently available only in Enterprise.

    The claim in the JWT payload that identifies the associated secret, such as iss.


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation