---
title: "Add JWT Authentication to Your undefined API"
description: undefined
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/java/dropwizard/jwt-backend"
framework: undefined
language: undefined
authStrategy: "JWT with JWKS"
pageType: use-case
---

# Add JWT Authentication to Your undefined API



## How Zuplo Handles It

Let Zuplo issue short-lived JWTs signed with a JWKS your undefined backend can verify — no long-lived API keys touch your origin.

## undefined Backend Code

```java
package com.example.auth;

import io.dropwizard.Application;
import io.dropwizard.setup.Bootstrap;
import io.dropwizard.setup.Environment;
import io.dropwizard.auth.AuthFilter;
import io.dropwizard.auth.AuthValueFactoryProvider;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.SignatureAlgorithm;
import com.example.auth.utils.JwksUtils;
import com.example.auth.resources.ProtectedResource;
import javax.servlet.http.HttpServletRequest;

import java.security.Key;
import java.security.PublicKey;
import java.util.Optional;

public class JwtAuthApplication extends Application<JwtAuthConfiguration> {
    public static final String ISSUER = "https://my-api-a32f34.zuplo.api/__zuplo/issuer";

    public static void main(String[] args) throws Exception {
        new JwtAuthApplication().run(args);
    }

    @Override
    public void initialize(Bootstrap<JwtAuthConfiguration> bootstrap) {
        // Initialization if needed
    }

    @Override
    public void run(JwtAuthConfiguration configuration, Environment environment) throws Exception {
        environment.jersey().register(new ProtectedResource());
        environment.jersey().register(new AuthValueFactoryProvider.Binder<>(Claims.class));
        environment.jersey().register(createAuthFilter());
    }

    private AuthFilter<Optional<Claims>, Claims> createAuthFilter() {
        return new AuthFilter.Builder<Optional<Claims>, Claims>()
            .setAuthenticator((credentials) -> {
                if (!credentials.isPresent()) return Optional.empty();
                try {
                    Key key = JwksUtils.getSigningKeyFromJwks(ISSUER, credentials.get().getHeader().get("kid").toString());
                    Claims claims = Jwts.parserBuilder()
                        .setSigningKey(key)
                        .requireIssuer(ISSUER)
                        .build()
                        .parseClaimsJws(credentials.get().getRawValue())
                        .getBody();
                    return Optional.of(claims);
                } catch (Exception e) {
                    return Optional.empty();
                }
            })
            .setAuthorizer((claims, role) -> claims.get().containsKey("roles") && claims.get().get("roles").contains(role))
            .setPrefix("Bearer")
            .buildAuthFilter();
    }
}
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)