--- title: "Add JWT Authentication to Your Http4k API" description: "Secure your Http4k API using JWT authentication with JWKS." canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/kotlin/http4k/jwt-backend" framework: "Http4k" language: "Kotlin" authStrategy: "JWT with JWKS" pageType: use-case --- # Add JWT Authentication to Your Http4k API Secure your Http4k API using JWT authentication with JWKS. ## How Zuplo Handles It Let Zuplo issue short-lived JWTs signed with a JWKS your Http4k backend can verify — no long-lived API keys touch your origin. ## Http4k Backend Code ```kotlin import org.http4k.core.* import org.http4k.filter.ServerFilters.BearerAuth import org.http4k.security.oauth.server.OAuthServer import org.http4k.security.oauth.server.Jwk import org.http4k.security.oauth.server.JwksUri import org.http4k.security.oauth.server.Issuer import org.http4k.security.oauth.server.TokenVerifier import org.http4k.security.oauth.server.verifiers.JwksTokenVerifier import org.http4k.security.oauth.client.JwtTokenValidator val ISSUER = "https://my-api-a32f34.zuplo.api/__zuplo/issuer" val JWKS_URI = URI.create("$ISSUER/.well-known/jwks.json") // Create JWKS token verifier val jwksVerifier: TokenVerifier = JwksTokenVerifier(JwksUri(JWKS_URI), Issuer(ISSUER)) // JWT validation filter fun jwtValidator(): Filter = Filter { next -> { request -> val token = request.header("Authorization")?.replace("Bearer ", "") if (token == null) { Response(Status.UNAUTHORIZED).body("No token provided") } else { try { val verifiedJwt = jwksVerifier(verifiedToken = token) val user = verifiedJwt.payload // Assuming payload holds user info next(request.with(UserKey of user)) } catch (e: Exception) { Response(Status.UNAUTHORIZED).body("Invalid token: ${e.message}") } } } } // Example protected route val protectedRoute = "/protected" bind Method.GET to { request: Request -> val user = request(UserKey) Response(Status.OK).body("Access granted to user $user") } val app = jwtValidator().then(protectedRoute) fun main() { val server = app.asServer(SunHttp(8080)) server.start() } ``` ## Example Request ```bash curl -X GET \ 'https://your-api.zuplo.dev/your-route' \ -H 'Authorization: Bearer YOUR_API_KEY' ``` ## Learn More - [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound) - [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) - [All use cases](https://zuplo.com/use-cases)