Skip to main content
This guide walks you through configuring the jwt-validation Traffic Policy action to validate tokens you issue from Auth0 on an ngrok-managed domain (referred to as <YOUR_NGROK_DOMAIN> below).

What you’ll need

1. Define your API in Auth0

If you’ve already done this, skip to the next section.
  • Sign in to your Auth0 tenant dashboard.
  • Select Applications > APIs, then + Create API.
  • Name your API whatever you like.
  • Replace the value of the Identifier field with <YOUR_NGROK_DOMAIN>.
  • Leave the default values for JSON Web Token (JWT) Profile and JSON Web Token Signing Algorithm.
  • Click Create.
After creating your API, you can define and add scopes in the Permissions tab. Those values will be populated in the scope claim of your JWT.

2. Access your JWT

When you create a new API, Auth0 creates an associated application under Applications > APIs in the left navigation. Open that application and click the Test tab. There you will find a signed, fully functional JWT and examples for generating others programmatically.

3. Create a Machine to Machine application

When you create your API in Auth0, it may automatically create a new Machine to Machine application and authorize it to use your new API. If you added scopes for your API, add them to the new application in the Machine to Machine Applications tab of your new API. If no Machine to Machine app was created, create one and select your new API when prompted.

4. Configure the jwt-validation Traffic Policy action

You now have what you need to configure JWT validation in Traffic Policy. The following is an example Traffic Policy configuration for enabling the action with your Auth0 settings. Customize the variables in issuer.allow_list.value, audience.allow_list.value, and jws.keys.sources.additional_jkus as needed.
  • Find <YOUR_TENANT_ID> and <AUTH0_REGION> in your Auth0 dashboard.
  • <YOUR_NGROK_ID> must match what you entered in Auth0 as the Identifier.
You can take the example token from the Test tab of your Auth0 application and decode it (for example using a JWT decoder) to discover and customize the values as follows:
FieldClaimDescription
issuer.allow_list.valueissThe issuer is usually the full URL of the Auth0 application. It can be found in your .well-known/openid-configuration URL, which is usually at https://<YOUR_AUTH0_TENANT_ID>.<AUTH0_REGION>.auth0.com/.well-known/openid-configuration.
audience.allow_list.valueaudThe audience claim is the identifier of your API and can be found in the APIs section of your Auth0 dashboard. It’s usually the same as https://<YOUR_NGROK_DOMAIN>.
http.tokensn/aThis is the location of the token in the incoming request. You do not need to change this value.
jws.allowed_algorithmsalgThe algorithm your API uses to decode the JWT. You can find this in Auth0 in your API, on the Settings tab, under Token Settings.
jws.keys.sources.additional_jkusn/aThis is the URL used to verify the JWT signature. It can be found in your .well-known/openid-configuration URL, usually at https://<YOUR_AUTH0_TENANT_ID>.<AUTH0_REGION>.auth0.com/.well-known/openid-configuration.

5. Test JWT validation on your endpoint

Start your endpoint with the new Traffic Policy rule applied, then test it with curl: 
curl --request GET \
  --url https://<YOUR_NGROK_DOMAIN>/ \
  --header 'authorization: Bearer YOUR-FULL-JWT-HERE-FROM-STEP-1'
If you see the response from your API, the integration is working. You can confirm by sending a malformed token. If you get an error with a valid token, double-check that your issuer and audience values are correct in your Traffic Policy rule.