---
title: "Add JWT Authentication to Your Nitro API"
description: "Secure your Nitro API using JWT authentication with JWKS."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/typescript/nitro/jwt-backend"
framework: "Nitro"
language: "TypeScript"
authStrategy: "JWT with JWKS"
pageType: use-case
---

# Add JWT Authentication to Your Nitro API

Secure your Nitro API using JWT authentication with JWKS.

## How Zuplo Handles It

Let Zuplo issue short-lived JWTs signed with a JWKS your Nitro backend can verify — no long-lived API keys touch your origin.

## Nitro Backend Code

```typescript
import { H3Event } from "h3";
import { createJwtVerifier } from "@auth0/nextjs-auth0";
import fetch from "node-fetch"; // or any preferred HTTP library

const ISSUER = "https://my-api-a32f34.zuplo.api/__zuplo/issuer";

// JWKS Client setup
const client = createJwtVerifier({
  jwksUri: `${ISSUER}/.well-known/jwks.json`,
  fetchJwks: async (uri: string) => {
    const response = await fetch(uri);
    return response.json();
  },
  cache: true,
  cacheMaxAge: 600000, // 10 minutes
});

// JWT validation middleware
export default defineEventHandler(async (event: H3Event) => {
  const authHeader = event.node.req.headers["authorization"];
  if (!authHeader) {
    throw createError({ statusCode: 401, message: "No token provided" });
  }

  const token = authHeader.replace("Bearer ", "");

  try {
    const decodedToken = await client.verify(token, {
      issuer: ISSUER,
      algorithms: ["RS256"],
    });
    event.context.user = decodedToken;
  } catch (err) {
    throw createError({
      statusCode: 401,
      message: "Invalid token",
      details: err.message,
    });
  }
});

// Example protected route
export default defineEventHandler(async (event: H3Event) => {
  if (!event.context.user) {
    throw createError({ statusCode: 401, message: "Unauthorized" });
  }

  // Logic for authenticated users
  return { message: "Access granted", user: event.context.user };
});
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)