Split json page

api-management/authentication/jwt-authorization.mdx

@@ -1,6 +1,6 @@
 ---
 title: "JWT Authorization"
-description: "How JWT authorization works in Tyk API Gateway."
+description: "Tyk Gateway's JWT Authorization process extracts user identity and applies security policies based on JWT claims for API access control."
 keywords: "Authentication, Authorization, JWT, JSON Web Tokens, Claims, Validation"
 sidebarTitle: "Authorization"
 ---

api-management/authentication/jwt-claim-validation.mdx

@@ -1,6 +1,6 @@
 ---
 title: "JWT Claim Validation"
-description: "How to validate JWT claims in Tyk API Gateway."
+description: "Tyk Gateway's JWT Claim Validation enables fine-grained access control by validating registered and custom claims in JSON Web Tokens."
 keywords: "Authentication, JWT, JSON Web Tokens, Claims, Validation"
 sidebarTitle: "Claim Validation"
 ---
@@ -796,4 +796,18 @@ x-tyk-api-gateway:
               nonBlocking: true
 ```
 
-The `nonBlocking` flag in the validation rule for `user.preferences.notifications` means that if this claim is missing from the received token, the token will not fail validation, but a warning will be logged.
+The `nonBlocking` flag in the validation rule for `user.preferences.notifications` means that if this claim is missing from the received token, the token will not fail validation, but a warning will be logged.
+
+## FAQ
+
+<AccordionGroup>
+
+<Accordion title='Can I restrict which issuers tokens are accepted?'>
+Yes, you can configure `AllowedIssuers` to specify which iss (issuer) claim values are accepted. Tokens from other issuers will be rejected.
+</Accordion>
+
+<Accordion title='How can I validate custom claims in the JWT?'>
+Use the `CustomClaimValidation` configuration to validate specific claims with different validation types (Required, ExactMatch, or Contains).
+</Accordion>
+
+</AccordionGroup>

api-management/authentication/jwt-quick-start.mdx

@@ -0,0 +1,95 @@
+---
+title: "JWT Quick Start: Securing APIs with Auth0 or Keycloak"
+description: "Learn how to secure your Tyk OAS APIs using JWT authentication with Auth0 or Keycloak as identity providers."
+keywords: "Authentication, JWT, JSON Web Tokens, Quick Start"
+sidebarTitle: "Quick Start"
+---
+
+In this tutorial, we'll secure a Tyk OAS API using JWT authentication with either Auth0 or Keycloak as the identity provider.
+
+<Note>
+If you want to try out JWT Auth without linking up to a third-party IdP then you can skip step 1 and provide the base64 encoded public key for your JWT (in the `source` field rather than configuring `jwksURIs`) in step 3. You'll need to generate a JWT for the request, but otherwise everything stays the same. 
+
+Now back to the tutorial...
+</Note>
+
+We'll start by configuring the identity provider, then set up JWT validation in Tyk, create a security policy, configure the API to use the policy, and finally test the secured API with a valid token.
+
+### Prerequisites
+
+- A Tyk installation (Cloud or Self-Managed) with Tyk Dashboard license
+- An Auth0 account or Keycloak installation
+- An existing Tyk OAS API (see [this tutorial](/api-management/gateway-config-managing-oas#using-tyk-dashboard-api-designer-to-create-an-api))
+- Postman, cURL, or another API testing tool
+
+### Step-by-Step Guide
+
+1. **Configure Your Identity Provider to obtain your JWKS URI**
+
+    The first step is to configure your Identity Provider (IdP) to issue JWTs and provide a JWKS URI that Tyk can use to validate the tokens. Below are instructions for both Auth0 and Keycloak.
+
+    <Tabs>
+    <Tab title="Auth0 Setup">
+
+    1. Log in to your Auth0 dashboard
+    2. Navigate to Applications > APIs and click Create API
+    3. Enter a name and identifier (audience) for your API
+    4. Note your Auth0 domain (e.g. `your-tenant.auth0.com`)
+    5. Your JWKS URI will be: `https://your-tenant.auth0.com/.well-known/jwks.json`
+
+    </Tab>
+
+    <Tab title="Keycloak Setup">
+
+    1. Log in to your Keycloak admin console
+    2. Create or select a realm (e.g. `tyk-demo`)
+    3. Navigate to Clients and create a new client with:
+          - Client ID: `tyk-api-client`
+          - Client Protocol: `openid-connect`
+          - Access Type: `confidential`
+    4. After saving, go to the Installation tab and select "OIDC JSON" format
+    5. Your JWKS URI will be: `http://your-keycloak-host/realms/tyk-demo/protocol/openid-connect/certs`
+
+    </Tab>
+
+    </Tabs>
+
+2. **Create a Security Policy**
+
+    1. In the Tyk Dashboard, navigate to **Policies**
+    2. Click **Add Policy**
+    3. Configure the policy:
+          - Name: `JWT Auth Policy`
+          - APIs: Select your Tyk OAS API
+          - Access Rights: Configure appropriate paths and methods
+          - Authentication: Select JWT
+          - JWT Scope Claim Name: Enter the JWT claim that contains scopes (e.g. `scope` or `permissions`)
+          - Required Scopes: Add any required scopes for access (optional)
+    4. Click Create to save your policy
+
+3. **Configure JWT Authentication in Tyk OAS API**
+
+    1. Navigate to APIs and select your API
+    2. Click **Edit**
+    3. Enable **Authentication** in the **Server** section, select **JSON Web Token (JWT)** as the authentication method
+    4. Configure the JWT settings:
+          - Token Signing Method: Select `RSA Public Key`
+          - Subject identity claim: Set to `sub`
+          - JWKS Endpoint: Enter your JWKS URI for your IdP obtained in step 1
+          - Policy claim: Set to `pol`
+          - Default policy: Select `JWT Auth Policy` (the policy you created previously)
+          - Clock Skew (optional): Set to accommodate time differences (e.g. `10`)
+          - Authentication Token Location: `header`
+          - Header Name: `Authorization`
+          - Strip Authorization Data: `Enabled`
+    5. Click **Save API**
+
+4. **Test your API**
+
+    1. Obtain a JWT from your IdP
+    2. Make a request to your API providing the JWT as a Bearer token in the `Authorization` header; Tyk will validate the JWT using the JWKS that it retrieves from your JWKS URI
+    3. Observe that the request is successful
+
+    ```bash
+        curl -X GET {API URL}  -H "Accept: application/json" -H "Authorization: Bearer {token}"
+    ```