DocsICP FilingConsole
官方文档
首页

Configure JWT authentication and authorization

更新时间:
复制 MD 格式
产品详情
我的收藏

Use JWT authentication in AI Gateway to verify caller identities and control API access. Tokens are digitally signed using a secret (HMAC) or a public/private key pair (RSA or ECDSA), enabling stateless, scalable authorization.

Prerequisites

  • You are familiar with the JWT standard.

  • You understand AI Gateway's integration methods: self-issued tokens or gateway-configured public key verification.

  • Your authorization service signs JWTs with a private key, and you have the corresponding public key to configure in AI Gateway.

Background information

AI Gateway's JWT authentication controls API access using structured JSON Web Tokens, letting you implement custom security policies.

Token-based authentication

When you expose an API through AI Gateway, tokens identify requesters and verify their authorization. Your backend does not need to store user authentication or session information, enabling stateless, distributed authorization that scales easily.

Supported integration methods

Create authentication

  1. Log on to the AI Gateway console.

  2. In the navigation pane on the left, choose Instance. In the top menu bar, select a region.

  3. On the Instance page, click the target instance ID.

  4. In the left-side navigation pane, choose Security Management > Global Authentication.

  5. On the Global Authentication page, click Create Authentication in the upper-left corner, configure the following parameters, and click OK.

    Parameter

    Description

    Enable

    Enables or disables authentication for AI Gateway.

    Authentication Name

    Custom name for this authentication entry.

    Authentication Type

    The authentication type. Currently, only JWT is supported.

    Issuer

    The iss (issuer) claim that identifies the principal that issued the token.

    Sub

    The sub (subject) claim that identifies the token's subject.

    JWKS

    The JSON Web Key Set (JWKS) containing the public key to verify token signatures. Example:

    {
    "keys":[
         {
        "e":"AQAB",
        "kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
        "kty":"RSA",
        "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-
P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2
He95lZdHtOcU5DXIg_pbhLdKXbi66Gl
VeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-
4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSG
ZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZ
PYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3D
RrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
          }
       ]
}

    JWT token configuration

    Where in client requests AI Gateway extracts the JWT.

    • Type: The location of the token in the request. The default value is Header.

    • Key: The parameter name containing the token. Example: Authorization.

    • Prefix: Prefix stripped from the token value before validation. By default, tokens use the Authorization header with a Bearer prefix. Example: Authorization: Bearer token.

    • Enable Passthrough: Whether to forward the token to the backend after validation.

    Authorization

    The authorization mode. Supports Whitelist Mode and Blacklist Mode.

    • Whitelist Mode: Requests matching a listed domain and path bypass authentication. All others require it.

    • Blacklist Mode: Requests matching a listed domain and path require authentication. All others are allowed.

    Click Rule Condition to specify the Domain Name and Path.

    • Domain name: Request domain name, such as example.com.

    • Path: Request path, such as /users/list.
Previous:Global authenticationNext:Configure OIDC authentication and authorization