---
title: "Add JWT Authentication to Your KrakenD API"
description: "Secure your KrakenD API using JWT authentication with JWKS."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/go/krakend/jwt-backend"
framework: "KrakenD"
language: "Go"
authStrategy: "JWT with JWKS"
pageType: use-case
---

# Add JWT Authentication to Your KrakenD API

Secure your KrakenD API using JWT authentication with JWKS.

## How Zuplo Handles It

Let Zuplo issue short-lived JWTs signed with a JWKS your KrakenD backend can verify — no long-lived API keys touch your origin.

## KrakenD Backend Code

```go
package main

import (
	"context"
	"net/http"
	"github.com/devopsfaith/krakend-ce/v2/config"
	"github.com/devopsfaith/krakend-ce/v2/transport/http/server"
	"github.com/devopsfaith/krakend-ce/v2/security/jose"
	"github.com/devopsfaith/krakend-ce/v2/logging"
)

func main() {
	cfg := config.Parser{}.Parse()
	logger, _ := logging.NewLogger("ERROR", os.Stdout, "")
	routerFactory := server.NewFactory(server.Config{
		Engine: defaultEngine(logger),
		Mux:    http.NewServeMux(),
	})

	jose.Register(cfg, routerFactory, jose.HandlerFactory{
		ConfigKey: "auth/token_review",
		SignerCfg: jose.SignerConfig{KeyIDHeader: "kid"},
	})

	routerFactory.NewWithContext(context.Background()).Run(cfg)
}

func defaultEngine(logger logging.Logger) server.HandlerFactory {
	return server.NewEngine(logger, []server.PluginRegister{
		jose.Register,
	}, func(cfg config.ServiceConfig) (http.Handler, error) {
		return http.NotFoundHandler(), nil
	})
}

// Example endpoint protection
{
	"version": 2,
	"name": "Example KrakenD",
	"endpoints": [
		{
			"endpoint": "/protected",
			"extra_config": {
				"auth/token_review": {
					"alg": "RS256",
					"jwk-url": "https://my-api-a32f34.zuplo.api/__zuplo/issuer/.well-known/jwks.json",
					"disable_jwk_security": false,
					"roles_key": "roles",
					"roles": ["user", "admin"]
				}
			},
			"method": "GET",
			"backend": [
				{
					"url_pattern": "/",
					"method": "GET",
					"host": ["http://your_backend_service"]
				}
			]
		}
	]
}
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)