---
title: "Add JWT Authentication to Your Fiber API"
description: "Secure your Fiber API using JWT authentication with JWKS."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/go/fiber/jwt-backend"
framework: "Fiber"
language: "Go"
authStrategy: "JWT with JWKS"
pageType: use-case
---

# Add JWT Authentication to Your Fiber API

Secure your Fiber API using JWT authentication with JWKS.

## How Zuplo Handles It

Let Zuplo issue short-lived JWTs signed with a JWKS your Fiber backend can verify — no long-lived API keys touch your origin.

## Fiber Backend Code

```go
package main

import (
    "fmt"
    "strings"

    "github.com/gofiber/fiber/v2"
    jwt "github.com/golang-jwt/jwt/v4"
    "github.com/MicahParks/keyfunc"
)

const (
    jwksURL = "https://my-api-a32f34.zuplo.api/__zuplo/issuer/.well-known/jwks.json"
    issuer  = "https://my-api-a32f34.zuplo.api/__zuplo/issuer"
)

var jwks *keyfunc.JWKS

func init() {
    var err error
    jwks, err = keyfunc.Get(jwksURL, keyfunc.Options{})
    if err != nil {
        panic(fmt.Sprintf("Failed to create JWKS from URL: %s", err))
    }
}

func JWTAuth(c *fiber.Ctx) error {
    authHeader := c.Get("Authorization")
    if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {
        return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
            "error": "No token provided",
        })
    }

    tokenStr := strings.TrimPrefix(authHeader, "Bearer ")
    token, err := jwt.Parse(tokenStr, jwks.Keyfunc)

    if err != nil || !token.Valid {
        return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
            "error": "Invalid token",
        })
    }

    if claims, ok := token.Claims.(jwt.MapClaims); ok {
        if claims["iss"] != issuer {
            return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
                "error": "Invalid issuer",
            })
        }
        c.Locals("user", claims)
    }

    return c.Next()
}

func main() {
    app := fiber.New()

    app.Get("/protected", JWTAuth, func(c *fiber.Ctx) error {
        user := c.Locals("user")
        return c.JSON(fiber.Map{
            "message": "Access granted",
            "user":    user,
        })
    })

    app.Listen(":3000")
}
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)