---
title: "Add JWT Authentication to Your undefined API"
description: undefined
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/java/helidon/jwt-backend"
framework: undefined
language: undefined
authStrategy: "JWT with JWKS"
pageType: use-case
---

# Add JWT Authentication to Your undefined API



## How Zuplo Handles It

Let Zuplo issue short-lived JWTs signed with a JWKS your undefined backend can verify — no long-lived API keys touch your origin.

## undefined Backend Code

```java
import io.helidon.security.Security;
import io.helidon.security.providers.jwt.JwtProvider;
import io.helidon.security.providers.jwt.JwtAuthenticationResponse;
import io.helidon.security.SecurityContext;
import io.helidon.webserver.Routing;
import io.helidon.webserver.ServerRequest;
import io.helidon.webserver.ServerResponse;
import io.helidon.webserver.WebServer;

public class JwtAuthExample {
    private static final String ISSUER = "https://my-api-a32f34.zuplo.api/__zuplo/issuer";

    public static void main(String[] args) {
        Security security = Security.builder()
                .addProvider(JwtProvider.builder()
                        .issuer(ISSUER)
                        .jwksUri(ISSUER + "/.well-known/jwks.json")
                        .build())
                .build();

        WebServer server = WebServer.builder()
                .routing(createRouting(security))
                .build()
                .start();

        System.out.println("Server started at: http://localhost:" + server.port());
    }

    private static Routing createRouting(Security security) {
        return Routing.builder()
                .register(security.webSecurity())
                .get("/protected", JwtAuthExample::protectedRoute)
                .build();
    }

    private static void protectedRoute(ServerRequest request, ServerResponse response) {
        SecurityContext securityContext = request.context().get(SecurityContext.class).orElseThrow(() -> new SecurityException("No security context"));
        JwtAuthenticationResponse jwtResponse = (JwtAuthenticationResponse) securityContext.user();

        if (jwtResponse.isAuthenticated()) {
            response.send("Access granted, user: " + jwtResponse.user());
        } else {
            response.status(401).send("Unauthorized");
        }
    }
}
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)