--- title: "Add JWT Authentication to Your Nginx API" description: "Secure your Nginx API using JWT authentication with JWKS." canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/c/nginx/jwt-backend" framework: "Nginx" language: "C" authStrategy: "JWT with JWKS" pageType: use-case --- # Add JWT Authentication to Your Nginx API Secure your Nginx API using JWT authentication with JWKS. ## How Zuplo Handles It Let Zuplo issue short-lived JWTs signed with a JWKS your Nginx backend can verify — no long-lived API keys touch your origin. ## Nginx Backend Code ```nginx # nginx.conf # Requires nginx-jwt-module or OpenResty with lua-resty-jwt # Using nginx-jwt-module (https://github.com/TeslaGov/ngx-http-auth-jwt-module) http { # JWKS configuration auth_jwt_key_file /etc/nginx/jwks.json; # Or fetch from URL (if supported by your module version) # auth_jwt_key_request /_jwks; server { listen 80; server_name api.example.com; # Protected endpoint location /protected { auth_jwt "API"; auth_jwt_algorithm RS256; # Validate issuer claim auth_jwt_validate_claim iss "https://my-api-a32f34.zuplo.api/__zuplo/issuer"; # Pass claims to upstream proxy_set_header X-JWT-Sub $jwt_claim_sub; proxy_set_header X-JWT-Iss $jwt_claim_iss; proxy_pass http://backend; } # JWKS endpoint for fetching keys (internal) location = /_jwks { internal; proxy_pass https://my-api-a32f34.zuplo.api/__zuplo/issuer/.well-known/jwks.json; proxy_cache jwks_cache; proxy_cache_valid 200 10m; } } # Cache for JWKS proxy_cache_path /var/cache/nginx/jwks levels=1:2 keys_zone=jwks_cache:1m max_size=10m; } ``` ## Example Request ```bash curl -X GET \ 'https://your-api.zuplo.dev/your-route' \ -H 'Authorization: Bearer YOUR_API_KEY' ``` ## Learn More - [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound) - [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) - [All use cases](https://zuplo.com/use-cases)