Skip to main content

JWT Validation


The JWT Validation action allows you to configure ngrok to validate JSON Web Tokens (JWT) at our cloud edge before routing the traffic to your origin service. You will need to tell ngrok where to find the token, as well as the claims and algorithms used to verify it's authenticity. When configuring this action in a locally running agent, it is pushed to our global network which secures traffic before it hits your network.

The request is allowed only if it has been correctly signed by the issuer and the defined claims match.

We have created guides for configuring this action with the following providers:

A useful tool for working with JWTs is provided at


Use this action config in your Traffic Policy

# snippet
- type: "jwt-validation"
- value: ""
- value: "urn:example:api"
- type: "access_token"
method: "header"
name: "Authorization"
prefix: "Bearer "
- type: "it+jwt"
method: "body"
name: "_id_token"
- "RS256"
- "ES256"
- ""


Multiple Issuers

You may specify multiple issuers to be used for JWT validation. A request is considered validated if it presents a JWT signed by any of the specified issuers. The issuer must match the one provided in the JWT exactly, including the trailing slash (/) if present in the token's iss claim.

Multiple Audience Claims

You may specify multiple audience claims to be used for JWT validation. JWT validation will require at least one of the audience claims to be present within the JWT. This is also an exact match.

Multiple Signing Keys

You have the ability to provide multiple JSON Web Key Set (JWKS) urls and signing algorithms. During JWT validation the list of JWKS and algorithms provided will be used in an attempt to validate the JWT. This list will be tried in order and is cached for performance. The cache is refreshed roughly every 15 minutes.

Multiple Tokens

If multiple tokens are defined within the HTTP configuration parameter, all tokens must be present in the request. If all tokens are not present a 401 status code will be returned.


Supported Directions

  • Inbound


issuerJWTIssuerConfigconfiguration about the Issuer(s) of the JWTs.
audienceJWTAudienceConfigconfiguration about the Audience(s) of the JWTs.
httpJWTHTTPConfigconfiguration about the HTTP requests containing JWTs.
jwsJWTSigningConfigconfiguration about signed JWTs (JWS).

JWTIssuerConfig Parameters

allow_listJWTIssuerthe list of allowed issuers.

JWTIssuer Parameters

valuestringthe URL of the issuer. This can be found in the iss claim after decoding the JWT or from the /.well-known/openid-configuration endpoint in your Identity Provider.

JWTAudienceConfig Parameters

allow_listJWTAudiencethe list of allowed audiences.

JWTAudience Parameters

valuestringthe value of the audience claim. This can be found in the aud claim after decoding the JWT or from the request used to create the token in the first place.

JWTHTTPConfig Parameters

tokensJWTHTTPTokenthe list of tokens to validate.

JWTHTTPToken Parameters

typestringthe type of the JWT, which acts as a hint to ngrok about how ngrok should parse the token. Must be one of "access_token", "at+jwt", "id_token", "it+jwt", "plain", or "jwt".
methodstringthe location in the request to expect the JWT. Must be one of "header" or "body". We do not support including a token as a URL query parameter. When choosing body, the method must be POST, PUT, or PATCH and the content type header must be set to either application/json or application/x-www-form-urlencoded.
namestringthe name of the header or body field where the JWT is expected (Example: "Authorization"). This is not case sensitive.
prefixstringAny prefix to strip from the header or body field before parsing the JWT (Example: "Bearer ").

JWTSigningConfig Parameters

allowed_algorithmsList<string>the list of allowed signing algorithms. We do not support none as a value here because it is insecure.
keysJWTSigningKeysthe configuration for the JWT signing keys.

JWTSigningKeys Parameters

sourcesJWTSigningKeySourcesthe configuration for the key material used to verify the signed JWTs.

JWTSigningKeySources Parameters

additional_jkusList<string>a list of URLs which serve the possible signing keys in JWKS format. These urls are cached and refreshed roughly every 15 minutes.

Action Result Variables

The following variables are available following the invocation of this action.

actions.ngrok.jwt_validation.tokens[]JWTThe JWTs processed by the action.
actions.ngrok.jwt_validation.tokens[i].headermap[string]stringThe header portion of the JWT, parsed into a key value map.
actions.ngrok.jwt_validation.tokens[i].locationstringThe location in the request where the JWT was included.
actions.ngrok.jwt_validation.tokens[i].location_propertystringThe name of the header or body field where the JWT was included.
actions.ngrok.jwt_validation.tokens[i].payloadmap[string]stringThe payload portion of the JWT, parsed into a key value map.
actions.ngrok.jwt_validation.tokens[i].signaturestringThe signature portion of the JWT, in base64 encoded format.
actions.ngrok.jwt_validation.tokens[i].verifiedbooleanTrue if this token was verified.
actions.ngrok.jwt_validation.error.codestringCode for an error that occurred during the invocation of an action.
actions.ngrok.jwt_validation.error.messagestringMessage for an error that occurred during the invocation of an action.