The JWT Proxy is an HTTP proxy service written in Go that implements authentication between microservices through JSON Web Tokens. It functions as both a forward proxy and reverse proxy, enabling secure inter-service communication by signing outgoing requests and verifying incoming requests using JWT-based authentication.
The forward proxy component signs outgoing HTTP requests with JWT tokens that contain claims about the originating service and intended recipient. It supports multiple key management strategies including automatic key pair generation with public key publication to a key server following the key server specification, pre-shared private keys for high-availability scenarios where the originating service runs multiple instances, and MITM SSL signing capabilities with configurable certificate authorities. The forward proxy can append JWT Authorization headers to requests and handle SSL connections, though CONNECT tunneling for MITM SSL is limited to HTTPS requests by design.
The reverse proxy component validates incoming requests by decoding and verifying JWT Authorization headers. It can verify signatures against public keys fetched from a key server, use pre-shared public keys for testing scenarios, perform SSL termination on behalf of upstream services, and employ a pluggable claims verifier interface with a bundled static claims verifier implementation. This allows downstream services to trust that requests have been properly authenticated by the proxy.
Configuration is managed through YAML files with a top-level jwtproxy flag, allowing multiple services to be configured in a single file. The presence or absence of signer and verifier configuration blocks determines whether the forward and reverse proxy components are enabled. The repository includes example configurations demonstrating various setups including autogenerated private keys, key registry key servers, and preshared key scenarios.
Key management is a central concern of the proxy. For forward proxy HTTPS signing, the service requires a CA certificate and private key to perform man-in-the-middle interception and forge TLS certificates on behalf of remote servers. The documentation provides commands to generate these certificates valid for one year without passphrases. For reverse proxy TLS termination, the service can use either certificate authority-provided key pairs or self-signed certificates, with the generated certificates needing to be trusted by the forward proxy through system-wide trust or explicit configuration.
The repository is classified across multiple security and integration domains including JWT authentication, token handling, middleware, token validation, bearer token processing, API gateway functionality, and access control. The codebase demonstrates active maintenance patterns typical of production proxy services, with configuration examples provided in a dedicated examples folder and comprehensive documentation covering certificate generation, key management, and deployment scenarios.
The service addresses the specific problem of authenticating requests between internal services without requiring each service to independently implement JWT signing and verification logic. By centralizing this functionality in dedicated proxy components, organizations can enforce consistent authentication policies across their service mesh while maintaining separation of concerns between application logic and authentication infrastructure.