Unkey Deploy is currently in private beta. To get access, reach out on
Discord or email
support@unkey.com.
JWT authentication is coming soon.
Authorization header. On success, it produces a Principal containing the full decoded token, so your app receives a verified identity without validating tokens itself. The Sentinel forwards the entire JWT payload as-is, preserving original claim names and types.
This works with any identity provider that issues JWTs, including WorkOS, Clerk, and Auth0. See the JWT source page for example payloads from each provider.
Key verification methods
JWT authentication supports three ways to verify token signatures:| Method | Description |
|---|---|
| JWKS endpoint | Fetch signing keys from a JSON Web Key Set URL |
| OIDC discovery | Auto-discover the JWKS endpoint from an OpenID Connect issuer |
| PEM public key | Verify tokens directly with a PEM-encoded RSA or EC public key |
Configuration options
| Option | Description |
|---|---|
| Issuer | Required. Validate that the token’s iss claim matches this value |
| Audiences | Validate that the token’s aud claim contains at least one of the specified values |
| Algorithms | Allowed signing algorithms (defaults to RS256). Prevents algorithm confusion attacks |
| Subject claim | Which claim to use as the Principal’s subject (defaults to sub) |
| Allow anonymous | Allow requests without a Bearer token through (produces no Principal) |
| Clock skew | Tolerance in milliseconds for exp and nbf validation |
Principal output
JWT authentication produces a Principal with:subject: The value of the configured subject claim (default:sub)source.jwt.header: The decoded token header (alg,typ,kid)source.jwt.payload: The full decoded token payload with all claims as-issource.jwt.signature: The raw signature string from the token