Authentication

Okta JWT Auth Policy

Authenticate requests with JWT tokens issued by Okta. This is a customized version of the OpenId JWT Policy specifically for Okta.

See this document for more information about OAuth authorization in Zuplo.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.


config/policies.json
{
  "name": "my-okta-jwt-auth-inbound-policy",
  "policyType": "okta-jwt-auth-inbound",
  "handler": {
    "export": "OktaJwtInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "allowUnauthenticatedRequests": false,
      "audience": "api://my-api",
      "issuerUrl": "https://dev-12345.okta.com/oauth2/abc",
      "oAuthResourceMetadataEnabled": false
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.
policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be okta-jwt-auth-inbound.
handler.export <string> - The name of the exported type. Value should be OktaJwtInboundPolicy.
handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

allowUnauthenticatedRequests <boolean> - Allow unauthenticated requests to proceed. This is use useful if you want to use multiple authentication policies or if you want to allow both authenticated and non-authenticated traffic. Defaults to false.
issuerUrl (required) <string> - Your Okta authorization server's issuer URL. For example, https://dev-12345.okta.com/oauth2/abc.
audience <string> - The Okta audience of your API, for example api://my-api.
oAuthResourceMetadataEnabled <boolean> - Flag that determines whether OAuth protected resource metadata is enabled. Defaults to false.

Using the Policy

Read more about how policies work

Edit this page

Last modified on June 24, 2026

Firebase JWT Auth JWT Auth

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

config/policies.json

{
  "name": "my-okta-jwt-auth-inbound-policy",
  "policyType": "okta-jwt-auth-inbound",
  "handler": {
    "export": "OktaJwtInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "allowUnauthenticatedRequests": false,
      "audience": "api://my-api",
      "issuerUrl": "https://dev-12345.okta.com/oauth2/abc",
      "oAuthResourceMetadataEnabled": false
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.

policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be okta-jwt-auth-inbound.

handler.export <string> - The name of the exported type. Value should be OktaJwtInboundPolicy.

handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).

handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

allowUnauthenticatedRequests <boolean> - Allow unauthenticated requests to proceed. This is use useful if you want to use multiple authentication policies or if you want to allow both authenticated and non-authenticated traffic. Defaults to false.

issuerUrl (required) <string> - Your Okta authorization server's issuer URL. For example, https://dev-12345.okta.com/oauth2/abc.

audience <string> - The Okta audience of your API, for example api://my-api.

oAuthResourceMetadataEnabled <boolean> - Flag that determines whether OAuth protected resource metadata is enabled. Defaults to false.