Using JWT fields in the method

JWT (JSON Web Token) validation in APIs is a security mechanism used to verify that incoming requests are authenticated and authorized. When a client sends a request, it includes a token that contains claims (such as user identity and permissions) and is cryptographically signed to ensure integrity. The API validates this token to confirm it hasn't been tampered with and that the user has the right access.

OpenLegacy Hub allows users to configure JWT token validation directly at the OpenAPI tech contract level, enabling seamless integration of security policies as part of the API design and governance process.


To enable JWT validation, the user needs to do the following:

In the Project contract, make sure you have OpenAPI technology enabled:

Click the three dots next to the contract name:

Select JWT Configuration.

Configure the JWT from the Contract menu:

  • JWK - identifies the URL for downloading the JWK
  • Issuer - identifies who issued the JWT
  • Audience - identifies the audiences of the JWT. Comma-separated list of allowed audiences
  • JWT Fields Configuration - Select the fields that will be part of the input of the method

Once enabled, the API will expect an Authorization header with a Bearer token containing JWT, e.g. authorization: bearer <JWT TOKEN>.

The API will validate this token, and if it is valid, the request will be processed. Additionally, JWT fields can be accessed within any method mapper under Advanced Properties in the input configuration.