Configure the JWT verification behavior

This behavior lets you to identify and authorize consumers who send requests to your origin server. You can specify the location in a client request to pass JSON web tokens (JWT), collections of public keys to verify the integrity of these tokens, and specific claims to extract from them.


Use this procedure only if you want to use JWT as your authentication method.

  1. In the Property Configuration Settings section, click Add Behavior.

  2. Search for and select the JWT behavior.

  3. Click Insert Behavior.

  4. Select JWT location from the dropdown:

    • Select Request header to extract JWTs from the X-Akamai-DCP-Token header.
      Set Use custom header to Yes to use a header of your choice to pass JWTs.

    • Select Query string parameter to extract JWTs from a query string parameter of your choice.

    • Select Request header or query string parameter to search for JWTs in the specified request header and query string parameter. By selecting JWT primary location, you tell edge servers where in requests to search first for JWTs. For example, Request header is a primary location, edge servers first search for a JWT in the specified header. If no token is present, edge servers search for it in the specified query string parameter.

  5. In JWT key collection, select the name of the active key collection to verify a token's signature. If you don't have a key collection, see Create a JWT key collection.

    When selecting a key collection, pay attention to the following:

    • The key collection needs to be active in the environment where you're activating your property. For example, if you're activating the property on staging, the key collection needs to be already active in the staging environment.

    • The key collection needs to store public keys that match the type of algorithm you use to sign JWTs. For example, if you allow authentication with tokens signed with the RS256 algorithms, the JWT collection needs to store RSA public keys.
      You can check if a key collection is active in either environment and the type of public keys it stores next to this key collection name in the JWT key collection dropdown.

  6. Set Extract client ID to Yes.

  7. Set Extract authorization groups to Yes.

  8. Set Extract username to Yes.

  9. Specify one or more algorithms that you want to use to sign your JWTs:

    • Set Allow RS256 to Yes to allow authentication with tokens signed with the RS256 algorithm.

    • Set Allow ES256 to Yes to allow authentication with tokens signed with the ES256 algorithm.

See Signing algorithms.