Identifies the issuer that issued the JWT. See issuer A JWT with different iss claim will be rejected.

Example: https://foobar.auth0.com Example: 1234567-compute@developer.gserviceaccount.com

The list of JWT audiences that are allowed to access. A JWT containing any of these audiences will be accepted.

The service name will be accepted if audiences is empty.

Example:

audiences:
- bookstore_android.apps.example.com
  bookstore_web.apps.example.com

URL of the provider’s public key set to validate signature of the JWT. See OpenID Discovery.

Optional if the key set document can either (a) be retrieved from OpenID Discovery of the issuer or (b) inferred from the email domain of the issuer (e.g. a Google service account).

Example: https://www.googleapis.com/oauth2/v1/certs

Note: Only one of jwksUri and jwks should be used.

JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.

Note: Only one of jwksUri and jwks should be used.

List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in x-jwt-assertion header, and have Bearer prefix:

  fromHeaders:
  - name: x-jwt-assertion
    prefix: “Bearer “

Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter my_token (e.g /path?my_token=<JWT>), the config is:

  fromParams:
  - “my_token”

Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified, the payload will not be emitted.

List of cookie names from which JWT is expected. // For example, if config is:

  from_cookies:
  - auth-token

Then JWT will be extracted from auth-token cookie in the request.

Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

If set to true, the original token will be kept for the upstream request. Default is false.

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. This differs from the output_payload_to_header by allowing outputting individual claims instead of the whole payload. The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.

  outputClaimToHeaders:
  - header: x-my-company-jwt-group
    claim: my-group
  - header: x-test-environment-flag
    claim: test-flag
  - header: x-jwt-claim-group
    claim: nested.key.group

[Experimental] This feature is a experimental feature.

The HTTP header name.

The prefix that should be stripped before decoding the token. For example, for Authorization: Bearer <token>, prefix=Bearer with a space at the end. If the header doesn’t have this exact prefix, it is considered invalid.

The name of the header to be created. The header will be overridden if it already exists in the request.

The name of the claim to be copied from. Only claim of type string/int/bool is supported. The header will not be there if the claim does not exist or the type of the claim is not supported.