Skip to main content
Version: v2.x

Multiple JWT Secrets

Available on: Cloud, Enterprise Edition

Introduction

You can configure GraphQL Engine with a list of JWT secrets. This enables you to authenticate with different JWT issuers.

How to use

Multiple JWT secrets can be provided in the env var HASURA_GRAPHQL_JWT_SECRETS which takes a list of JWT secret objects.

For example:

[
{ "jwk_url": "https://...", "issuer": "myapp" },
{ "type": "HS256", "key": "3EK6FD...", "issuer": "test" }
]

The structure of an individual JWT secret is described here.

Note

If both HASURA_GRAPHQL_JWT_SECRET and HASURA_GRAPHQL_JWT_SECRETS are set, then HASURA_GRAPHQL_JWT_SECRETS will be used.

Resolution logic

The authentication is resolved as follows:

  1. Bearer tokens are extracted from headers or cookie locations (as configured by each JWT secret)
  2. Tokens are filtered to ensure that the issuer field matches the configuration, or that the issuer is absent either from the configuration or the token.
  3. If no matching tokens are found then the unauthenticated flow is performed (depends on HASURA_GRAPHQL_UNAUTHORIZED_ROLE).
  4. If multiple matching tokens are found then an error is raised as the desired token is ambiguous.
  5. If only one matching token is found then it is verified against the corresponding configured secret.