Skip to content
CTRL K
    Docs Standalone Kubernetes Models Blog Enterprise Community Get Started GitHub
    🎯 New workshop: Govern AI Costs in Real Time — Hands-On with agentgateway agentgateway has joined the Agentic AI FoundationLearn more

    For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

    Page as Markdown
    JWT authentication
    
Verified
Code examples on this page have been automatically tested and verified.
    Verify JWT tokens from incoming requests using JWKS and configured issuers.
    Attaches to: 
    Listener
    Route
    Agentgateway supports more than one configuration style. Where a feature can also be configured in the simplified llm or mcp modes, the examples on this page show each option in tabs. For more information, see Routing-based configuration.
    JWT tokensJWT (JSON Web Token)A compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization in agentgateway. from incoming requests can be verified.
    JWT authentication requires a few parameters:
    • The issuer verifies that tokens come from the specified issuer (iss).
    • The audiences lists allowed audience values (aud)
    • The jwks defines the list of public keys to verify against.
    Additionally, authentication can run in three different modes:
    • Strict: A valid token, issued by a configured issuer, must be present.
    • Optional (default): If a token exists, validate it.
      Warning: This allows requests without a JWT token!
    • Permissive: Requests are never rejected. This is useful for usage of claims in later steps (authorization, logging, etc).
      Warning: This allows requests without a JWT token!
    # yaml-language-server: $schema=https://agentgateway.dev/schema/config
llm:
  policies:
    jwtAuth:
      mode: strict
      issuer: agentgateway.dev
      audiences: [test.agentgateway.dev]
      jwks:
        # Relative to the folder the binary runs from, not the config file
        file: ./manifests/jwt/pub-key
  models:
  - name: "*"
    provider: openAI
    params:
      apiKey: "$OPENAI_API_KEY"
    It is common to pair jwtAuth with authorization, using the claims from the verified JWT.
For example:
    # yaml-language-server: $schema=https://agentgateway.dev/schema/config
llm:
  policies:
    jwtAuth:
      mode: strict
      issuer: agentgateway.dev
      audiences: [test.agentgateway.dev]
      jwks:
        file: ./manifests/jwt/pub-key
    authorization:
      rules:
      - allow: 'request.path == "/admin" && jwt.groups.contains("admins")'
  models:
  - name: "*"
    provider: openAI
    params:
      apiKey: "$OPENAI_API_KEY"
    Network authorizationBasic authentication
    Was this page helpful?
    

    
Agentgateway assistant
    


    Ask me anything about agentgateway configuration, features, or usage.
    Note: AI-generated content might contain errors; please verify and test all returned information.
    Tip: one topic per conversation gives the best results. Use the + button in the chat header to start a new conversation.
    Switching topics? Starting a new conversation improves accuracy.

    ↑↓ navigate
 select
esc dismiss
    

    

    What could be improved?
    Your feedback helps us improve assistant answers and identify docs gaps we should fix.
    Need more help? Join us on Discord:
https://discord.gg/y9efgEmppm
    Want to use your own agent? Add the Solo MCP server to query our docs directly. Get started here:
https://search.solo.io/.