This repository has been archived by the owner. It is now read-only.
A tiny JWT based API gateway
Switch branches/tags
Clone or download
brycekahle Merge pull request #8 from netlify/jwt-sub
Simply JWT parsing logic
Latest commit abcb19d Aug 28, 2017


A tiny API Gateway based on JWTs.

Gotiator can handle simple API proxying with signing for single page apps that already use JWTs for authentication.

Gotiator Proxy is released under the MIT License. Please make sure you understand its implications and guarantees.


go get
gotiator serve


Settings can be set either by creating a config.json or setting NETLIFY_ prefixed environment variables. IE.:

  "jwt": {
    "secret": "2134"

Is the same as:

GOTIATOR_JWT_SECRET=2134 gotiator serve

You must set your JWT secret (and we strongly recommend doing this with an environment variable) to match the JWT issuer (like Auth0) or netlify-auth.

You configure API proxying from the config.json:

  "apis": [
    {"name": "github", "url": "", "roles": ["contributor"]}

To sign outgoing requests with a Bearer token, you must set an environment variable with the token, based on the name of the API. If the API is called github, you must set:


The roles property specifies which roles should have access to the API. Roles should be encoded in the JWT claims under app_metadata.roles. Any request with a correctly signed JWT that includes one of the roles in it's app_metadata will be allowed to make requests to the API signed with your token via /:api_name.

With the above example, a user with a JWT proving the claim that she has the role "contributor", can send signed requests to GitHub's API scoped to this repo, via: