DocsICP FilingConsole
官方文档
首页

API token validation

更新时间:
复制 MD 格式
产品详情
我的收藏

You can create an API token compliance validation rule by adding a custom JSON Web Token (JWT) and binding it to the API that requires verification. ESA will then perform token compliance validation on incoming requests and process them to secure your business APIs.

Configure an API token rule

  1. In the ESA console, choose Websites. In the Website column, click the target website.

  2. In the left-side navigation pane, choose Security > API Security.

  3. On the API Security page, click the API Rules tab, and then click Token Configuration.image

  4. Click Add to create a token configuration.image

  5. Configure the token parameters, and then click OK:

    • Configuration Name: Enter a custom name for the configuration, such as JWT-Demo.

    • Token Location: Select the location of the token in the request. You can select Header or Cookie and enter the corresponding key name.

      Note

      To check for tokens in multiple locations, click Or to create a logical OR condition. ESA can check up to four locations simultaneously.

    • Token Key: Add a token key by entering it manually or uploading a JSON file. For key requirements, see Token details.

      Note

      If you configure multiple keys, ESA uses the kid field to select a key for validation. The request passes validation if it matches any of the keys.

    image

  6. After configuring the token, return to the API Rules tab and click Add Rule to create an API rule.image

  7. Configure the following token validation parameters:

    • Rule Name: Enter a custom name for the rule, such as rule-jwt-demo.

    • Verify API: Click the drop-down list to select the hostname for token compliance verification. ESA will then automatically display the list of APIs under the selected hostname. Review and select the required APIs.

    • Select Token Configuration: Select one or more token configurations. If you select multiple configurations, choose one of the following options:

      • Validate at least one: The request must match at least one of the selected token configurations. Otherwise, the request is considered non-compliant.

      • Validate all: The request must match all of the selected token configurations. Otherwise, the request is considered non-compliant.

        Note

        By default, ESA considers requests without a token non-compliant. To allow requests that are missing a specific token, select Ignore from the drop-down list in the If No Token column for the corresponding token.

    • Action: Select an action for requests that fail token validation:

      • Monotor: Allows non-compliant requests and records a log. For more information, see Events.

      • Block: Blocks non-compliant requests and records a block log. For more information, see Events.

    image

Verify the results

After creating an API rule, navigate to Security > Events. On the Events page, filter by the API Rule protection rule type. View detailed protection logs in the Sampling Logs section.

Token details

Token validation currently supports only JWT verification.

Field descriptions

The public key must be in JSON Web Key (JWK) format and contain the kid and alg fields.

  • kty: The key type, for example, EC for an Elliptic Curve key.

  • use: The intended use of the public key, for example, sig indicates that the key is used for digital signatures.

  • crv: The type of elliptic curve, for example, P-256 for the NIST-standardized P-256 curve.

  • kid: A custom key identifier, such as esa. The JWK must contain the kid field for key selection. Similarly, the JWT in the request must also contain a kid claim. This field enables token key rotation.

  • x: The x-coordinate of the elliptic curve public key.

  • y: The y-coordinate of the elliptic curve public key.

  • alg: The algorithm identifier. Currently, only ES256 (ECDSA with SHA-256) is supported.

Example

{
  "kty": "EC",
  "use": "sig",
  "crv": "P-256",
  "kid": "esa",
  "x": "QG3VFVwUX4IatQvBy7sqBvvmticCZ-eX5-nbtGKBOfI",
  "y": "A3PXCshn7XcG7Ivvd2K_DerW4LHAlIVKdqhrUnczTD0",
  "alg": "ES256"
}

FAQ

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs can be used as a standalone authentication token that contains information such as a user identity, roles, and permissions. This information allows a client to retrieve resources from a resource server. JWTs also support custom claims for business logic. JWTs are particularly suitable for login scenarios in distributed websites.

A JWT consists of three parts: a Header, a Payload, and a Signature. Each part is Base64-encoded and concatenated by periods (.) to form a string in the format Header.Payload.Signature:

  • Header: The Header typically consists of two parts: the type of the token (JWT) and the signing algorithm used.

  • Payload: The Payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. You can also add custom claims required by your system.

  • Signature: The Signature verifies the sender's identity and ensures the message's integrity.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

How do I generate a JWT?

Use https://mkjwk.org to generate a private key and public key for token generation and validation:

  1. In a web browser, go to https://mkjwk.org.

  2. Click the EC tab, configure the parameters, and then click Generate. In the Public Key section, click Copy to Clipboard.

    • Curve: Select P-256.

    • Key Use: Select Signature.

    • Algorithm: Select ES256: ECDSA using P-256 and SHA-256.

    • Key ID: Enter a custom key identifier, such as esa.

    image

Previous:Schema validationNext:Settings