Introducing JWT validation for your API

API security breaches have become pervasive: 70% of organizations have experienced an API security incident in the past year. From fitness trackers exposing workout habits to hotel chains leaking guest information, insecure APIs threaten our interconnected world. Given their critical impact, securing APIs should be a top priority for development teams, and JWTs provide an efficient way to add security to your API endpoints, providing both authentication (validating the client’s identity) as well as authorization (validating the client’s permissions to perform certain actions).

Our developer-defined API gateway introduces support for JWT validation. In this blog, we'll delve into how ngrok's robust JWT validation capabilities equip you to safeguard your APIs. We'll explore the benefits of using JWTs, how it’s implemented at ngrok, and how this enhancement bolsters your overall API security posture.

Introducing ngrok's JWT Validation Action

When a client successfully authenticates with your origin service, your auth service issues a JWT. The JWT can vary in content based on your specific setup. The application or client includes this JWT in subsequent requests to your API. Before sending the request to your origin service, ngrok validates the JWT using your JSON Web Key Set (JWKS).

ngrok's JWT Validation action offers a way to integrate your existing JWT infrastructure with ngrok, enhancing the security of your API endpoints. Your auth service provider, such as Auth0 or Forgerock, authenticates the application making the request and issues a JWT containing claims and scopes that authorize the application to perform certain actions.

ngrok verifies that requests sent to your API contain a valid JWT signed by a key from your issuer’s JWKS URL. This verification process happens in ngrok’s global network, keeping your applications and APIs safe. If the request includes an invalid JWT or comes from an unauthorized requestor, the request never reaches your origin service, eliminating unwanted traffic and potential security threats.

When a request to your origin service comes through one of ngrok's global Points of Presence (PoP), we forward the request to your origin server only after the following checks have passed:

1. Ensure a JWT is present in the request headers or body
2. Validate the token was issued by a trusted source
3. Check that the token is intended for your origin service
4. Confirm that the token has not expired
5. Verify that the token has the correct signature using configured algorithms and keys
6. Ensure the JWT is encrypted

JWT configuration

Secure your APIs using JWTs by adding the JWT Validation action to your Traffic Policy module configuration. If using the ngrok agent, add the action to your agent config file. Your configuration will be pushed from the local agent to ngrok’s global network, and JWTs will be validated there before traffic ever reaches your network. Unlike some other implementations, ngrok’s JWT Validation action supports validating tokens in the body of the JWT as well.

on_http_request:
  actions:
    - type: jwt-validation
      config:
        issuer:
          allow_list:
            - value: https://example.com/issuer
        audience:
          allow_list:
            - value: urn:example:api
        http:
          tokens:
            - type: access_token
              method: header
              name: Authorization
              prefix: "Bearer "
            - type: it+jwt
              method: body
              name: _id_token
        jws:
          allowed_algorithms:
            - RS256
            - ES256
          keys:
            sources:
              additional_jkus:
                - https://example.com/issuer/jku

You can also configure JWT Validation for your Edges directly in the ngrok Dashboard. In either case, you’ll add your JWT configuration as an inbound policy since it will be applied to incoming requests.

But wait, what is a JWT?

JSON web token (JWT)—pronounced “jot”— is an open standard used to securely transmit digitally signed data over the internet as a JSON object. Once issued, each request contains the JWT, which is verified with a JSON Web Key Set (JWKS) from the issuer. JWTs comprise a header, payload, and signature, providing a stateless, scalable solution ideal for API security.

JWTs offer an efficient and compact format easily transmitted in HTTP headers or URL POST parameters. They provide a quicker verification than traditional cryptographic operations like password verification.

JWTs support a stateless architecture, removing the need for session data storage at the origin service or browser. JWTs offer secure authentication under your control, moving away from traditional password-based sessions. They have a built-in expiration and can be revoked, providing enhanced security compared to potentially unsafe API keys.

Secure your APIs with ngrok’s JWT Validation

Over 5 million developers have adopted ngrok to bring secure connectivity across the development lifecycle —from dev/test to production environments. With JWT validation, you can strengthen the security of your APIs by offloading API protection to ngrok’s global network.

You can sign up today and get started. Don’t hesitate to reach out if you have any questions or encounter any issues. Connect with us on Twitter, the ngrok community on Slack, or contact us at support@ngrok.com.