Skip to main content
Feedback

Authentication using JWT on the API Gateway

JWT (JSON Web Token) authentication allows the Gateway to reference an external, third-party Identity Provider (IdP) for faster performance, increased governance, and modern security. By offloading identity management to specialized providers—such as Okta, Amazon Cognito, Google Cloud, or Microsoft Azure AD—organizations can enforce robust enterprise security standards.

Implementing JSON Web Token (JWT) authentication offers several strategic advantages:

  • Enhanced Performance: Provides a stateless authentication model that reduces the overhead of repeated credential verification.

  • Improved Governance: Centralizes user access control within a dedicated IdP, ensuring consistent policy enforcement across all APIs.

  • Scalable Security: Utilizes industry-standard security protocols to protect sensitive data and streamline the user experience.

Once an Authentication Source is configured on the Authentication page, it can be applied to any deployed API to ensure secure, high-performance access management.

Creating a JWT Authentication Source

  1. Navigate to Configure Server > Authentication and choose +New Authentication Source.

  2. Enter the following:

    • Authentication Source Name: (e.g., Okta JWT).
    • Description: (e.g., JWT Authentication source via Okta used in a configured Gateway.).
    • Identity Provider Type: Select JWT Authentication.

  3. Select OK.

Authentication Source settings for JWT

The Source Configuration for JWT (JSON Web Token) page enables you to review and modify the properties of your external Identity Provider.

You must select an identity provider type during the creation of an Authentication Source. JWT Authentication allows you to pass a user's authentication information and user privileges in the form of a signed JSON token. The server validates this token by verifying the token signature and extracts user privileges from the token.

For most cases, both access tokens and ID tokens issued by the identity provider can be used for API execution. It is recommended that you configure your identity provider, set up an application, and then use access tokens to authenticate your Boomi managed APIs. Access tokens are recommended as they are meant for resource authorization and do not contain any additional personal user information. The following signature algorithms are used in JWT authentication source token validation:

  • RSA - RS256, RS384, and RS512
  • EC - ES256, ES256K, ES384, and ES512
  • HMAC - HS256, HS384, and HS512
note

Refer to your identity provider documentation for configuration instructions.

On this Page