--- title: "Add JWT Authentication to Your undefined API" description: undefined canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/javascript/restify/jwt-backend" framework: undefined language: undefined authStrategy: "JWT with JWKS" pageType: use-case --- # Add JWT Authentication to Your undefined API ## How Zuplo Handles It Let Zuplo issue short-lived JWTs signed with a JWKS your undefined backend can verify — no long-lived API keys touch your origin. ## undefined Backend Code ```javascript const restify = require("restify"); const jwt = require("jsonwebtoken"); const jwksClient = require("jwks-rsa"); // ISSUER URL const ISSUER = "https://my-api-a32f34.zuplo.api/__zuplo/issuer"; // Set up JWKS client const client = jwksClient({ jwksUri: `${ISSUER}/.well-known/jwks.json`, cache: true, cacheMaxAge: 600000, // 10 minutes }); // Function to retrieve the signing key function getKey(header, callback) { client.getSigningKey(header.kid, function (err, key) { if (err) { return callback(err); } const signingKey = key.getPublicKey(); callback(null, signingKey); }); } // JWT validation middleware function validateJwt(req, res, next) { const token = req.headers.authorization?.replace("Bearer ", ""); if (!token) { return res.send(401, { error: "No token provided" }); } jwt.verify( token, getKey, { issuer: ISSUER, algorithms: ["RS256"], }, (err, decoded) => { if (err) { return res.send(401, { error: "Invalid token", details: err.message }); } req.user = decoded; next(); }, ); } // Create Restify server const server = restify.createServer(); // Use middleware server.use(restify.plugins.queryParser()); server.use(validateJwt); // Protected route example server.get("/protected", (req, res, next) => { res.send({ message: "Access granted", user: req.user, }); return next(); }); // Start the server server.listen(8080, () => { console.log("%s listening at %s", server.name, server.url); }); ``` ## Example Request ```bash curl -X GET \ 'https://your-api.zuplo.dev/your-route' \ -H 'Authorization: Bearer YOUR_API_KEY' ``` ## Learn More - [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound) - [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) - [All use cases](https://zuplo.com/use-cases)