docs/manual/mod/mod_autht_jwt.html.en.utf8 - httpd - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
 <meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
 <!--
         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
               This file is generated from xml source: DO NOT EDIT
         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       -->
 <title>mod_autht_jwt - Apache HTTP Server Version 2.5</title>
 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
 <script src="../style/scripts/prettify.min.js" type="text/javascript">
 </script>

 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
 <body>
 <div id="page-header">
 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
 <p class="apache">Apache HTTP Server Version 2.5</p>
 <img alt="" src="../images/feather.png" /></div>
 <div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
 <div id="path">
 <a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.5</a> &gt; <a href="./">Modules</a></div>
 <div id="page-content">
 <div id="preamble"><h1>Apache Module mod_autht_jwt</h1>
 <div class="toplang">
 <p><span>Available Languages: </span><a href="../en/mod/mod_autht_jwt.html" title="English">&nbsp;en&nbsp;</a> |
 <a href="../fr/mod/mod_autht_jwt.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a></p>
 </div>
 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Token authentication using JWT tokens</td></tr>
 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>autht_jwt_module</td></tr>
 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_autht_jwt.c</td></tr></table>
 <h3>Summary</h3>

     <p>This module provides token parsing front-ends such as
     <code class="module"><a href="../mod/mod_auth_bearer.html">mod_auth_bearer</a></code> the ability to authenticate users
     by verifying a JWT token as described in
     <a href="http://www.ietf.org/rfc/rfc7519.txt">RFC 7519</a>.</p>

     <p>A JWT token is read from the <var>Authorization</var> header
     with an <var>auth-scheme</var> of <var>Bearer</var>.</p>

     <p>When using <code class="module"><a href="../mod/mod_auth_bearer.html">mod_auth_bearer</a></code> this module is invoked
     via the
     <code class="directive"><a href="../mod/mod_auth_bearer.html#authbearerprovider">AuthBearerProvider</a></code>
     with the <code>jwt</code> value.</p>

     <p>This module can also be used standalone to generate JWT tokens
     for passing to a backend server or service. Claims are embedded within
     a token, which is then optionally signed, and passed using the
     <var>Authorization</var> header as a <var>Bearer</var> token.</p>
 </div>
 <div id="quickview"><h3 class="directives">Directives</h3>
 <ul id="toc">
 <li><img alt="" src="../images/down.gif" /> <a href="#authtjwtclaim">AuthtJwtClaim</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authtjwtdriver">AuthtJwtDriver</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authtjwtsign">AuthtJwtSign</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authtjwtverify">AuthtJwtVerify</a></li>
 </ul>
 <h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_autht_jwt">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_autht_jwt">Report a bug</a></li></ul><h3>See also</h3>
 <ul class="seealso">
 <li>
   <code class="directive"><a href="../mod/mod_auth_bearer.html#authbearerprovider">AuthBearerProvider</a></code>
 </li>
 <li><a href="#comments_section">Comments</a></li></ul></div>

 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="AuthtJwtClaim" id="AuthtJwtClaim">AuthtJwtClaim</a> <a name="authtjwtclaim" id="authtjwtclaim">Directive</a> <a title="Permanent link" href="#authtjwtclaim" class="permalink">&para;</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set a claim with the given name and expression, or unset the claim with the given name</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtVerify <var>[set|unset]</var> <var>name</var> [<var>value</var>]</code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
 </table>
     <p>The <code class="directive">AuthtJwtClaim</code> directive adds and/or removes
     claims from token being passed to the backend server or service.</p>

     <p>When a claim is set, the value of the claim is the result of an expression. The
     expression may include parameters from a digital certificate, or the name of the
     user that has been authenticated to Apache httpd.</p>

     <div class="example"><h3>Pass Remote User Example</h3><pre class="prettyprint lang-config">&lt;Location "/secure"&gt;
   AuthtJwtClaim set sub %{REMOTE_USER}
   AuthtJwtSign hs256 file "/www/conf/jwt.secret"
 &lt;/Location&gt;</pre>
 </div>

     <p>When a claim is unset, the claim previously set is removed from the token.</p>

     <div class="example"><h3>Unset Claim Example</h3><pre class="prettyprint lang-config">AuthtJwtClaim set my-claim present
 &lt;Location "/secure"&gt;
   AuthtJwtClaim set sub %{REMOTE_USER}
   AuthtJwtClaim unset my-claim
   AuthtJwtSign hs256 file "/www/conf/jwt.secret"
 &lt;/Location&gt;</pre>
 </div>


 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="AuthtJwtDriver" id="AuthtJwtDriver">AuthtJwtDriver</a> <a name="authtjwtdriver" id="authtjwtdriver">Directive</a> <a title="Permanent link" href="#authtjwtdriver" class="permalink">&para;</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the name of the underlying crypto driver to
 use</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtDriver <var>name</var> <var>[param[=value]]</var></code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
 </table>
     <p>The <code class="directive">AuthtJwtDriver</code> directive specifies the name of
     the crypto driver to be used for signing and verification. If not specified,
     the driver defaults to the recommended driver compiled into APR-util.</p>

     <p>Follow the instructions in the
     <code class="directive"><a href="../mod/mod_session_crypto.html#sessioncryptodriver">SessionCryptoDriver</a></code> to
     set up the driver.</p>

 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="AuthtJwtSign" id="AuthtJwtSign">AuthtJwtSign</a> <a name="authtjwtsign" id="authtjwtsign">Directive</a> <a title="Permanent link" href="#authtjwtsign" class="permalink">&para;</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The JWS signing algorithm and passphrase/key to sign an outgoing
 JWT token</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtSign <var>algorithm</var> [<var>type</var> <var>param</var>]</code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
 </table>
     <p>The <code class="directive">AuthtJwtSign</code> directive specifies the algorithm
     and secret used to sign outgoing bearer tokens passed to a server or service.</p>

     <p>If the algorithm type <var>none</var> is selected, the token is not
     protected. Use only when the client is trusted, and the channel is protected
     through other means, such as mutually authenticated TLS, or unix domain sockets.</p>

     <p>Set the claims to be sent in the token using the
     <code class="directive"><a href="#authtjwtclaim">AuthtJwtClaim</a></code> directive. The
     <var>sub</var> claim is used to pass the remote user.</p>

     <div class="example"><h3>No Verification Example</h3><pre class="prettyprint lang-config">&lt;Location "/mutual-tls-secured"&gt;
   AuthtJwtClaim set sub %{REMOTE_USER}
   AuthtJwtSign none
 &lt;/Location&gt;</pre>
 </div>

     <p>If the algorithm type <var>HS256</var> is used, the algorithm is set to
     <var>HMAC-SHA256</var>, and the secret is set within the <var>file</var> specified
     as the third parameter. The contents of the bearer token is still visible, and so
     the channel must still be protected from evesdropping through TLS.</p>

     <div class="example"><h3>Verification Example</h3><pre class="prettyprint lang-config">&lt;Location "/secure"&gt;
   AuthtJwtClaim set sub %{REMOTE_USER}
   AuthtJwtSign hs256 file "/www/conf/jwt.secret"
 &lt;/Location&gt;</pre>
 </div>


 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="AuthtJwtVerify" id="AuthtJwtVerify">AuthtJwtVerify</a> <a name="authtjwtverify" id="authtjwtverify">Directive</a> <a title="Permanent link" href="#authtjwtverify" class="permalink">&para;</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The JWS signing algorithm and passphrase/key to verify an incoming
 JWT token</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtVerify <var>algorithm</var> [<var>type</var> <var>param</var>]</code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
 </table>
     <p>The <code class="directive">AuthtJwtVerify</code> directive specifies the algorithm
     and secret used to verify incoming bearer tokens.</p>

     <p>If the algorithm type <var>none</var> is selected, the token is not
     protected, and will be accepted as is. Use only when the client is trusted, and the
     channel is protected through other means, such as mutually authenticated TLS, or
     unix domain sockets.</p>

     <p>If present, the <var>sub</var> claim is assigned to REMOTE_USER.</p>

     <div class="example"><h3>No Verification Example</h3><pre class="prettyprint lang-config">&lt;Location "/mutual-tls-secured"&gt;
   AuthType bearer
   AuthName example-name
   AuthBearerProvider jwt
   AuthtJwtVerify none
   Require valid-user
 &lt;/Location&gt;</pre>
 </div>

     <p>If the algorithm type <var>HS256</var> is used, the algorithm is set to
     <var>HMAC-SHA256</var>, and the secret is set within the <var>file</var> specified
     as the third parameter. The contents of the bearer token is still visible, and so
     the channel must still be protected from evesdropping through TLS.</p>

     <p>If the signature is verified, and if present, the <var>sub</var> claim is
     assigned to REMOTE_USER.</p>

     <div class="example"><h3>Verification Example</h3><pre class="prettyprint lang-config">&lt;Location "/secure"&gt;
   AuthType bearer
   AuthName example-name
   AuthBearerProvider jwt
   AuthtJwtVerify hs256 file "/www/conf/jwt.secret"
   Require valid-user
 &lt;/Location&gt;</pre>
 </div>


 </div>
 </div>
 <div class="bottomlang">
 <p><span>Available Languages: </span><a href="../en/mod/mod_autht_jwt.html" title="English">&nbsp;en&nbsp;</a> |
 <a href="../fr/mod/mod_autht_jwt.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a></p>
 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
 <script type="text/javascript"><!--//--><![CDATA[//><!--
 var comments_shortname = 'httpd';
 var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_autht_jwt.html';
 (function(w, d) {
     if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
         d.write('<div id="comments_thread"><\/div>');
         var s = d.createElement('script');
         s.type = 'text/javascript';
         s.async = true;
         s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
         (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
     }
     else {
         d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
     }
 })(window, document);
 //--><!]]></script></div><div id="footer">
 <p class="apache">Copyright 2023 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
 if (typeof(prettyPrint) !== 'undefined') {
     prettyPrint();
 }
 //--><!]]></script>
 </body></html>
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
	<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
	<!--
	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
	This file is generated from xml source: DO NOT EDIT
	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
	-->
	<title>mod_autht_jwt - Apache HTTP Server Version 2.5</title>
	<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
	<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
	<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
	<script src="../style/scripts/prettify.min.js" type="text/javascript">
	</script>

	<link href="../images/favicon.ico" rel="shortcut icon" /></head>
	<body>
	<div id="page-header">
	<p class="menu"><a href="../mod/">Modules</a> \| <a href="../mod/quickreference.html">Directives</a> \| <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> \| <a href="../glossary.html">Glossary</a> \| <a href="../sitemap.html">Sitemap</a></p>
	<p class="apache">Apache HTTP Server Version 2.5</p>
	<img alt="" src="../images/feather.png" /></div>
	<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
	<div id="path">
	<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
	<div id="page-content">
	<div id="preamble"><h1>Apache Module mod_autht_jwt</h1>
	<div class="toplang">
	<p><span>Available Languages: </span><a href="../en/mod/mod_autht_jwt.html" title="English"> en </a> \|
	<a href="../fr/mod/mod_autht_jwt.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
	</div>
	<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Token authentication using JWT tokens</td></tr>
	<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
	<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>autht_jwt_module</td></tr>
	<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_autht_jwt.c</td></tr></table>
	<h3>Summary</h3>

	<p>This module provides token parsing front-ends such as
	<code class="module"><a href="../mod/mod_auth_bearer.html">mod_auth_bearer</a></code> the ability to authenticate users
	by verifying a JWT token as described in
	<a href="http://www.ietf.org/rfc/rfc7519.txt">RFC 7519</a>.</p>

	<p>A JWT token is read from the <var>Authorization</var> header
	with an <var>auth-scheme</var> of <var>Bearer</var>.</p>

	<p>When using <code class="module"><a href="../mod/mod_auth_bearer.html">mod_auth_bearer</a></code> this module is invoked
	via the
	<code class="directive"><a href="../mod/mod_auth_bearer.html#authbearerprovider">AuthBearerProvider</a></code>
	with the <code>jwt</code> value.</p>

	<p>This module can also be used standalone to generate JWT tokens
	for passing to a backend server or service. Claims are embedded within
	a token, which is then optionally signed, and passed using the
	<var>Authorization</var> header as a <var>Bearer</var> token.</p>
	</div>
	<div id="quickview"><h3 class="directives">Directives</h3>
	<ul id="toc">
	<li><img alt="" src="../images/down.gif" /> <a href="#authtjwtclaim">AuthtJwtClaim</a></li>
	<li><img alt="" src="../images/down.gif" /> <a href="#authtjwtdriver">AuthtJwtDriver</a></li>
	<li><img alt="" src="../images/down.gif" /> <a href="#authtjwtsign">AuthtJwtSign</a></li>
	<li><img alt="" src="../images/down.gif" /> <a href="#authtjwtverify">AuthtJwtVerify</a></li>
	</ul>
	<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_autht_jwt">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_autht_jwt">Report a bug</a></li></ul><h3>See also</h3>
	<ul class="seealso">
	<li>
	<code class="directive"><a href="../mod/mod_auth_bearer.html#authbearerprovider">AuthBearerProvider</a></code>
	</li>
	<li><a href="#comments_section">Comments</a></li></ul></div>

	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
	<div class="directive-section"><h2><a name="AuthtJwtClaim" id="AuthtJwtClaim">AuthtJwtClaim</a> <a name="authtjwtclaim" id="authtjwtclaim">Directive</a> <a title="Permanent link" href="#authtjwtclaim" class="permalink">¶</a></h2>
	<table class="directive">
	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set a claim with the given name and expression, or unset the claim with the given name</td></tr>
	<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtVerify <var>[set\|unset]</var> <var>name</var> [<var>value</var>]</code></td></tr>
	<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
	<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
	<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
	<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
	</table>
	<p>The <code class="directive">AuthtJwtClaim</code> directive adds and/or removes
	claims from token being passed to the backend server or service.</p>

	<p>When a claim is set, the value of the claim is the result of an expression. The
	expression may include parameters from a digital certificate, or the name of the
	user that has been authenticated to Apache httpd.</p>

	<div class="example"><h3>Pass Remote User Example</h3><pre class="prettyprint lang-config"><Location "/secure">
	AuthtJwtClaim set sub %{REMOTE_USER}
	AuthtJwtSign hs256 file "/www/conf/jwt.secret"
	</Location></pre>
	</div>

	<p>When a claim is unset, the claim previously set is removed from the token.</p>

	<div class="example"><h3>Unset Claim Example</h3><pre class="prettyprint lang-config">AuthtJwtClaim set my-claim present
	<Location "/secure">
	AuthtJwtClaim set sub %{REMOTE_USER}
	AuthtJwtClaim unset my-claim
	AuthtJwtSign hs256 file "/www/conf/jwt.secret"
	</Location></pre>
	</div>


	</div>
	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
	<div class="directive-section"><h2><a name="AuthtJwtDriver" id="AuthtJwtDriver">AuthtJwtDriver</a> <a name="authtjwtdriver" id="authtjwtdriver">Directive</a> <a title="Permanent link" href="#authtjwtdriver" class="permalink">¶</a></h2>
	<table class="directive">
	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the name of the underlying crypto driver to
	use</td></tr>
	<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtDriver <var>name</var> <var>[param[=value]]</var></code></td></tr>
	<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
	<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
	<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
	</table>
	<p>The <code class="directive">AuthtJwtDriver</code> directive specifies the name of
	the crypto driver to be used for signing and verification. If not specified,
	the driver defaults to the recommended driver compiled into APR-util.</p>

	<p>Follow the instructions in the
	<code class="directive"><a href="../mod/mod_session_crypto.html#sessioncryptodriver">SessionCryptoDriver</a></code> to
	set up the driver.</p>

	</div>
	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
	<div class="directive-section"><h2><a name="AuthtJwtSign" id="AuthtJwtSign">AuthtJwtSign</a> <a name="authtjwtsign" id="authtjwtsign">Directive</a> <a title="Permanent link" href="#authtjwtsign" class="permalink">¶</a></h2>
	<table class="directive">
	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The JWS signing algorithm and passphrase/key to sign an outgoing
	JWT token</td></tr>
	<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtSign <var>algorithm</var> [<var>type</var> <var>param</var>]</code></td></tr>
	<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
	<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
	<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
	<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
	</table>
	<p>The <code class="directive">AuthtJwtSign</code> directive specifies the algorithm
	and secret used to sign outgoing bearer tokens passed to a server or service.</p>

	<p>If the algorithm type <var>none</var> is selected, the token is not
	protected. Use only when the client is trusted, and the channel is protected
	through other means, such as mutually authenticated TLS, or unix domain sockets.</p>

	<p>Set the claims to be sent in the token using the
	<code class="directive"><a href="#authtjwtclaim">AuthtJwtClaim</a></code> directive. The
	<var>sub</var> claim is used to pass the remote user.</p>

	<div class="example"><h3>No Verification Example</h3><pre class="prettyprint lang-config"><Location "/mutual-tls-secured">
	AuthtJwtClaim set sub %{REMOTE_USER}
	AuthtJwtSign none
	</Location></pre>
	</div>

	<p>If the algorithm type <var>HS256</var> is used, the algorithm is set to
	<var>HMAC-SHA256</var>, and the secret is set within the <var>file</var> specified
	as the third parameter. The contents of the bearer token is still visible, and so
	the channel must still be protected from evesdropping through TLS.</p>

	<div class="example"><h3>Verification Example</h3><pre class="prettyprint lang-config"><Location "/secure">
	AuthtJwtClaim set sub %{REMOTE_USER}
	AuthtJwtSign hs256 file "/www/conf/jwt.secret"
	</Location></pre>
	</div>


	</div>
	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
	<div class="directive-section"><h2><a name="AuthtJwtVerify" id="AuthtJwtVerify">AuthtJwtVerify</a> <a name="authtjwtverify" id="authtjwtverify">Directive</a> <a title="Permanent link" href="#authtjwtverify" class="permalink">¶</a></h2>
	<table class="directive">
	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The JWS signing algorithm and passphrase/key to verify an incoming
	JWT token</td></tr>
	<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtVerify <var>algorithm</var> [<var>type</var> <var>param</var>]</code></td></tr>
	<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
	<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
	<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
	<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
	</table>
	<p>The <code class="directive">AuthtJwtVerify</code> directive specifies the algorithm
	and secret used to verify incoming bearer tokens.</p>

	<p>If the algorithm type <var>none</var> is selected, the token is not
	protected, and will be accepted as is. Use only when the client is trusted, and the
	channel is protected through other means, such as mutually authenticated TLS, or
	unix domain sockets.</p>

	<p>If present, the <var>sub</var> claim is assigned to REMOTE_USER.</p>

	<div class="example"><h3>No Verification Example</h3><pre class="prettyprint lang-config"><Location "/mutual-tls-secured">
	AuthType bearer
	AuthName example-name
	AuthBearerProvider jwt
	AuthtJwtVerify none
	Require valid-user
	</Location></pre>
	</div>

	<p>If the algorithm type <var>HS256</var> is used, the algorithm is set to
	<var>HMAC-SHA256</var>, and the secret is set within the <var>file</var> specified
	as the third parameter. The contents of the bearer token is still visible, and so
	the channel must still be protected from evesdropping through TLS.</p>

	<p>If the signature is verified, and if present, the <var>sub</var> claim is
	assigned to REMOTE_USER.</p>

	<div class="example"><h3>Verification Example</h3><pre class="prettyprint lang-config"><Location "/secure">
	AuthType bearer
	AuthName example-name
	AuthBearerProvider jwt
	AuthtJwtVerify hs256 file "/www/conf/jwt.secret"
	Require valid-user
	</Location></pre>
	</div>


	</div>
	</div>
	<div class="bottomlang">
	<p><span>Available Languages: </span><a href="../en/mod/mod_autht_jwt.html" title="English"> en </a> \|
	<a href="../fr/mod/mod_autht_jwt.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
	</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
	<script type="text/javascript"><!--//--><![CDATA[//><!--
	var comments_shortname = 'httpd';
	var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_autht_jwt.html';
	(function(w, d) {
	if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
	d.write('<div id="comments_thread"><\/div>');
	var s = d.createElement('script');
	s.type = 'text/javascript';
	s.async = true;
	s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
	(d.getElementsByTagName('head')[0] \|\| d.getElementsByTagName('body')[0]).appendChild(s);
	}
	else {
	d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
	}
	})(window, document);
	//--><!]]></script></div><div id="footer">
	<p class="apache">Copyright 2023 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
	<p class="menu"><a href="../mod/">Modules</a> \| <a href="../mod/quickreference.html">Directives</a> \| <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> \| <a href="../glossary.html">Glossary</a> \| <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
	if (typeof(prettyPrint) !== 'undefined') {
	prettyPrint();
	}
	//--><!]]></script>
	</body></html>