---
title: "Add JWT Authentication to Your Iris API"
description: "Secure your Iris API using JWT authentication with JWKS."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/go/iris/jwt-backend"
framework: "Iris"
language: "Go"
authStrategy: "JWT with JWKS"
pageType: use-case
---

# Add JWT Authentication to Your Iris API

Secure your Iris API using JWT authentication with JWKS.

## How Zuplo Handles It

Let Zuplo issue short-lived JWTs signed with a JWKS your Iris backend can verify — no long-lived API keys touch your origin.

## Iris Backend Code

```go
package main

import (
    "fmt"
    "strings"

    "github.com/kataras/iris/v12"
    jwt "github.com/golang-jwt/jwt/v4"
    "github.com/MicahParks/keyfunc"
)

const (
    jwksURL = "https://my-api-a32f34.zuplo.api/__zuplo/issuer/.well-known/jwks.json"
    issuer  = "https://my-api-a32f34.zuplo.api/__zuplo/issuer"
)

var jwks *keyfunc.JWKS

func init() {
    var err error
    jwks, err = keyfunc.Get(jwksURL, keyfunc.Options{})
    if err != nil {
        panic(fmt.Sprintf("Failed to create JWKS from URL: %s", err))
    }
}

func JWTAuth(ctx iris.Context) {
    authHeader := ctx.GetHeader("Authorization")
    if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {
        ctx.StatusCode(iris.StatusUnauthorized)
        ctx.JSON(iris.Map{"error": "No token provided"})
        return
    }

    tokenStr := strings.TrimPrefix(authHeader, "Bearer ")
    token, err := jwt.Parse(tokenStr, jwks.Keyfunc)

    if err != nil || !token.Valid {
        ctx.StatusCode(iris.StatusUnauthorized)
        ctx.JSON(iris.Map{"error": "Invalid token"})
        return
    }

    if claims, ok := token.Claims.(jwt.MapClaims); ok {
        if claims["iss"] != issuer {
            ctx.StatusCode(iris.StatusUnauthorized)
            ctx.JSON(iris.Map{"error": "Invalid issuer"})
            return
        }
        ctx.Values().Set("user", claims)
    }

    ctx.Next()
}

func main() {
    app := iris.New()

    app.Get("/protected", JWTAuth, func(ctx iris.Context) {
        user := ctx.Values().Get("user")
        ctx.JSON(iris.Map{
            "message": "Access granted",
            "user":    user,
        })
    })

    app.Listen(":8080")
}
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)