---
title: "Add JWT Authentication to Your undefined API"
description: undefined
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/php/laravel/jwt-backend"
framework: undefined
language: undefined
authStrategy: "JWT with JWKS"
pageType: use-case
---

# Add JWT Authentication to Your undefined API



## How Zuplo Handles It

Let Zuplo issue short-lived JWTs signed with a JWKS your undefined backend can verify — no long-lived API keys touch your origin.

## undefined Backend Code

```php
use Illuminate\Support\Facades\Route;
use Illuminate\Http\Request;
use Firebase\JWT\JWT;
use Firebase\JWT\JWK;
use Illuminate\Support\Facades\Http;

// Constants
const ISSUER = "https://my-api-a32f34.zuplo.api/__zuplo/issuer";
const JWKS_URI = ISSUER . '/.well-known/jwks.json';

// Middleware to validate JWT with JWKS
class ValidateJwtMiddleware
{
    public function handle($request, \Closure $next)
    {
        $authHeader = $request->header('Authorization');

        if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) {
            return response()->json(['error' => 'No token provided'], 401);
        }

        $token = substr($authHeader, 7);
        try {
            // Fetch JWKS
            $jwks = Http::get(JWKS_URI)->json();

            $decodedToken = JWT::decode($token, JWK::parseKeySet($jwks), ['RS256']);

            if ($decodedToken->iss !== ISSUER) {
                throw new \Exception('Token issuer is invalid');
            }

            $request->merge(['user' => $decodedToken]);
            return $next($request);

        } catch (\Exception $e) {
            return response()->json(['error' => 'Invalid token', 'details' => $e->getMessage()], 401);
        }
    }
}

// Register Middleware in Kernel
// In app/Http/Kernel.php add:
// protected $routeMiddleware = [
//     'validate.jwt' => \App\Http\Middleware\ValidateJwtMiddleware::class,
// ];

// Protected Route Example
Route::middleware(['validate.jwt'])->get('/protected', function (Request $request) {
    return response()->json([
        'message' => 'Access granted',
        'user' => $request->user,
    ]);
});
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)