> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# JWT Quick Start: Securing APIs with Auth0 or Keycloak
> Learn how to secure your Tyk OAS APIs using JWT authentication with Auth0 or Keycloak as identity providers.
In this tutorial, we'll secure a Tyk OAS API using JWT authentication with either Auth0 or Keycloak as the identity provider.
If you want to try out JWT Auth without linking up to a third-party IdP then you can skip step 1 and provide the base64 encoded public key for your JWT (in the `source` field rather than configuring `jwksURIs`) in step 3. You'll need to generate a JWT for the request, but otherwise everything stays the same.
Now back to the tutorial...
We'll start by configuring the identity provider, then set up JWT validation in Tyk, create a security policy, configure the API to use the policy, and finally test the secured API with a valid token.
### Prerequisites
* A Tyk installation (Cloud or Self-Managed) with Tyk Dashboard license
* An Auth0 account or Keycloak installation
* An existing Tyk OAS API (see [this tutorial](/5.12/api-management/gateway-config-managing-oas#using-tyk-dashboard-api-designer-to-create-an-api))
* Postman, cURL, or another API testing tool
### Step-by-Step Guide
1. **Configure Your Identity Provider to obtain your JWKS URI**
The first step is to configure your Identity Provider (IdP) to issue JWTs and provide a JWKS URI that Tyk can use to validate the tokens. Below are instructions for both Auth0 and Keycloak.
1. Log in to your Auth0 dashboard
2. Navigate to Applications > APIs and click Create API
3. Enter a name and identifier (audience) for your API
4. Note your Auth0 domain (e.g. `your-tenant.auth0.com`)
5. Your JWKS URI will be: `https://your-tenant.auth0.com/.well-known/jwks.json`
1. Log in to your Keycloak admin console
2. Create or select a realm (e.g. `tyk-demo`)
3. Navigate to Clients and create a new client with:
* Client ID: `tyk-api-client`
* Client Protocol: `openid-connect`
* Access Type: `confidential`
4. After saving, go to the Installation tab and select "OIDC JSON" format
5. Your JWKS URI will be: `http://your-keycloak-host/realms/tyk-demo/protocol/openid-connect/certs`
2. **Create a Security Policy**
1. In the Tyk Dashboard, navigate to **Policies**
2. Click **Add Policy**
3. Configure the policy:
* Name: `JWT Auth Policy`
* APIs: Select your Tyk OAS API
* Access Rights: Configure appropriate paths and methods
* Authentication: Select JWT
* JWT Scope Claim Name: Enter the JWT claim that contains scopes (e.g. `scope` or `permissions`)
* Required Scopes: Add any required scopes for access (optional)
4. Click Create to save your policy
3. **Configure JWT Authentication in Tyk OAS API**
1. Navigate to APIs and select your API
2. Click **Edit**
3. Enable **Authentication** in the **Server** section, select **JSON Web Token (JWT)** as the authentication method
4. Configure the JWT settings:
* Token Signing Method: Select `RSA Public Key`
* Subject identity claim: Set to `sub`
* JWKS Endpoint: Enter your JWKS URI for your IdP obtained in step 1
* Policy claim: Set to `pol`
* Default policy: Select `JWT Auth Policy` (the policy you created previously)
* Clock Skew (optional): Set to accommodate time differences (e.g. `10`)
* Authentication Token Location: `header`
* Header Name: `Authorization`
* Strip Authorization Data: `Enabled`
5. Click **Save API**
4. **Test your API**
1. Obtain a JWT from your IdP
2. Make a request to your API providing the JWT as a Bearer token in the `Authorization` header; Tyk will validate the JWT using the JWKS that it retrieves from your JWKS URI
3. Observe that the request is successful
```bash theme={null}
curl -X GET {API URL} -H "Accept: application/json" -H "Authorization: Bearer {token}"
```