Configuring JWT
The Moesif Developer Portal can be used with Json Web Tokens (JWT) to generate keys and display to customer to access your APIs. Any API gateway or framework that supports JWT can be used with this plugin including AWS API Gateway with a Lambda Authorizer along with most web frameworks. In order to identify the company or customer, a claim is added to the JWT. By default, this is org_id
but can be changed.
A JWT is a bearer token and requires extra caution. You should either issue short-lived tokens or have a separate mechanism to revoke JWT in case leaked. Moesif governance rules can be used to block tokens automatically if you don’t have this functionality.
Configure the Developer Portal
Configuring the .env File
In the my-dev-portal-api
project, you’ll need to set the following envvars in your .env
file:
envvar name | description |
---|---|
PLUGIN_JWT_ALGORITHM | Algorithm to use for signing JWT |
PLUGIN_JWT_SECRET | Secret used for signing. Make sure to keep private and store in a robust key store. |
PLUGIN_JWT_USER_ID_FIELD | The field in the claims that contains user id. Defaults to “sub” |
PLUGIN_JWT_COMPANY_ID_FIELD | The field in the claims that contains company (customer) id. Defaults to “org_id” |
PLUGIN_JWT_EXPIRES_IN | How long JWT is valid. Can be a number in seconds or use shorthand like “30d” |
Configuring API gateway or app
Within your API gateway or service, install a Moesif server integration.
Configure the server integration’s identify company function to extract the org_id
claim from the JWT.
AWS API Gateway Specific Configuration
In order to set up JWT key provisioning with AWS API Gateway, you can either create a JWT authorizer
or a custom Lambda Authorizer
.
Follow the instructions here to create a new Lambda Authorizer. Once done:
- If not done already, cd into
my-dev-portal-api
and runnpm install
- Go to your newly created Lambda Authorizer in the AWS Console
- Under Code source, click the Upload from dropdown and select .zip file.
- Upload the zip
resources/aws-authorizer/authorizer.zip
to your newly created authorizer.