JWT Authentication
Configure JWT-based authentication for your organization in Portkey
This feature is available only on the Enterprise Plan of Portkey.
Portkey supports JWT-based authentication in addition to API Key authentication. Clients can authenticate API requests using a JWT token, which is validated against a configured JWKS (JSON Web Key Set). This guide explains the requirements and setup process for JWT authentication in Portkey.
Configuring JWT Authentication
JWT authentication can be configured under Admin Settings → Organisation → Authentication.
JWKS Configuration
To validate JWTs, you must configure one of the following:
- JWKS URL: A URL from which the public keys will be dynamically fetched.
- JWKS JSON: A static JSON containing public keys.
JWT Requirements
Supported Algorithm
- JWTs must be signed using RS256 (RSA Signature with SHA-256).
Required Claims
Your JWT payload must contain the following claims:
Claim Key | Description |
---|---|
portkey_oid / organisation_id | Unique identifier for the organization. |
portkey_workspace / workspace_slug | Identifier for the workspace. |
scope / scopes | Permissions granted by the token. |
User Identification
Portkey identifies users in the following order of precedence for logging and metrics:
email_id
sub
uid
Authentication Process
-
The client sends an HTTP request with the JWT in the
x-portkey-api-key
header: -
The server validates the JWT:
- Verifies the signature using the JWKS.
- Checks if the token is expired.
- Ensures the required claims are present.
-
If valid, the request is authenticated, and user details are extracted for authorization and logging.
-
If invalid, the request is rejected with an HTTP 401 Unauthorized response.
Authorization & Scopes
Once the JWT is validated, the server checks for the required scope. Scopes can be provided in the JWT as either a single string or an array of strings using the scope
or scopes
claim.
Scopes can also be prefixed with portkey.
(e.g., portkey.completions.write
).
JWT tokens with appropriate scopes function identically to workspace API keys, providing access to workspace-specific operations. They cannot be used as organization API keys, which have broader administrative permissions across all workspaces.
Example JWT Payload
Making API Calls with JWT Authentication
Once you have a valid JWT token, you can use it to authenticate your API calls to Portkey. Below are examples showing how to use JWT authentication with different SDKs.
Install the Portkey SDK with npm
Caching & Token Revocation
- JWTs are cached until they expire to reduce validation overhead.
Was this page helpful?