Skip to main content
In this tutorial, we’ll secure a Tyk OAS API using JWT authentication with either Auth0 or Keycloak as the identity provider.
If you want to try out JWT Auth without linking up to a third-party IdP then you can skip step 1 and provide the base64 encoded public key for your JWT (in the source field rather than configuring jwksURIs) in step 3. You’ll need to generate a JWT for the request, but otherwise everything stays the same.Now back to the tutorial…
We’ll start by configuring the identity provider, then set up JWT validation in Tyk, create a security policy, configure the API to use the policy, and finally test the secured API with a valid token.

Prerequisites

  • A Tyk installation (Cloud or Self-Managed) with Tyk Dashboard license
  • An Auth0 account or Keycloak installation
  • An existing Tyk OAS API (see this tutorial)
  • Postman, cURL, or another API testing tool

Step-by-Step Guide

  1. Configure Your Identity Provider to obtain your JWKS URI The first step is to configure your Identity Provider (IdP) to issue JWTs and provide a JWKS URI that Tyk can use to validate the tokens. Below are instructions for both Auth0 and Keycloak.
    • Auth0 Setup
    • Keycloak Setup
    1. Log in to your Auth0 dashboard
    2. Navigate to Applications > APIs and click Create API
    3. Enter a name and identifier (audience) for your API
    4. Note your Auth0 domain (e.g. your-tenant.auth0.com)
    5. Your JWKS URI will be: https://your-tenant.auth0.com/.well-known/jwks.json
  2. Create a Security Policy
    1. In the Tyk Dashboard, navigate to Policies
    2. Click Add Policy
    3. Configure the policy:
      • Name: JWT Auth Policy
      • APIs: Select your Tyk OAS API
      • Access Rights: Configure appropriate paths and methods
      • Authentication: Select JWT
      • JWT Scope Claim Name: Enter the JWT claim that contains scopes (e.g. scope or permissions)
      • Required Scopes: Add any required scopes for access (optional)
    4. Click Create to save your policy
  3. Configure JWT Authentication in Tyk OAS API
    1. Navigate to APIs and select your API
    2. Click Edit
    3. Enable Authentication in the Server section, select JSON Web Token (JWT) as the authentication method
    4. Configure the JWT settings:
      • Token Signing Method: Select RSA Public Key
      • Subject identity claim: Set to sub
      • JWKS Endpoint: Enter your JWKS URI for your IdP obtained in step 1
      • Policy claim: Set to pol
      • Default policy: Select JWT Auth Policy (the policy you created previously)
      • Clock Skew (optional): Set to accommodate time differences (e.g. 10)
      • Authentication Token Location: header
      • Header Name: Authorization
      • Strip Authorization Data: Enabled
    5. Click Save API
  4. Test your API
    1. Obtain a JWT from your IdP
    2. Make a request to your API providing the JWT as a Bearer token in the Authorization header; Tyk will validate the JWT using the JWKS that it retrieves from your JWKS URI
    3. Observe that the request is successful
        curl -X GET {API URL}  -H "Accept: application/json" -H "Authorization: Bearer {token}"