Secure your API with TokenX¶
This how-to guides you through the steps required to secure your API using TokenX:
Grant access to consumers¶
Specify inbound access policies to authorize your consumers:
spec:
tokenx:
enabled: true
accessPolicy:
inbound:
rules:
- application: app-1 # same namespace and cluster
- application: app-2 # same cluster
namespace: team-a
- application: app-3
namespace: team-b
cluster: prod-gcp
The above configuration authorizes the following applications:
- application
app-1
running in the same namespace and same cluster as your application - application
app-2
running in the namespaceteam-a
in the same cluster - application
app-3
running in the namespaceteam-b
in the clusterprod-gcp
Now that you have granted access to your consumers, they can now exchange tokens for new tokens that target your application. You will need to validate these tokens in your application.
Validate tokens¶
Verify incoming requests from consumers by validating the Bearer token in the Authorization
header.
Always validate the signature and standard time-related claims. Additionally, perform the following validations:
Issuer Validation
Validate that the iss
claim has a value that is equal to either:
- the
TOKEN_X_ISSUER
environment variable, or - the
issuer
property from the metadata discovery document. The document is found at the endpoint pointed to by theTOKEN_X_WELL_KNOWN_URL
environment variable.
Audience Validation
Validate that the aud
claim is equal to TOKEN_X_CLIENT_ID
.
Signature Validation
Validate that the token is signed with a public key published at the JWKS endpoint. This endpoint URI can be found in one of two ways:
- the
TOKEN_X_JWKS_URI
environment variable, or - the
jwks_uri
property from the metadata discovery document. The document is found at the endpoint pointed to by theTOKEN_X_WELL_KNOWN_URL
environment variable.
Other Token Claims
Other claims may be present in the token. Validation of these claims is optional.
See the TokenX claims reference for details.