Validate JWT Tokens in API Gateway: Easy Secure Microservices
Read this article in clean Markdown format for LLMs and AI context.Tired of mysterious 401 errors when your microservices try to talk?
The fix is simple: make your API gateway actually validate jwt tokens in api gateway before forwarding requests.
Follow the ready‑to‑copy configs for Kong, Apigee, and AWS API Gateway below and stop the midnight panic.
The moment I realized my gateway wasn’t actually checking JWTs
We rolled out a brand‑new order‑service and hooked it up to our existing user‑profile service. The first call went through, but the second one kept returning 401 Unauthorized. I double‑checked the code, re‑generated the token, even tried a fresh secret – nothing moved the needle.
Then I looked at the API gateway logs and saw the same token being passed straight through, unchanged. The gateway was acting like a simple reverse proxy, not a gatekeeper. In other words, it wasn’t validate jwt tokens in api gateway at all.
I dug into the config file and found a comment that said “TODO: add JWT validation later”. Apparently someone had assumed the downstream services would reject bad tokens, but our microservice architecture trusts the gateway to do the heavy lifting. That’s why the error showed up only when the token expired or was malformed – the services never saw the problem because the gateway let it slip by.
The real kicker was that the token validation was disabled in the production profile by accident. A copy‑paste from the dev config overwrote the security block, leaving the gateway wide open. Once I re‑enabled the JWT plugin and pointed it at our public key, the 401s vanished.
That experience taught me three things:
- Never assume the gateway is doing security work for you.
- Always test token validation in a staging environment.
- Keep the config under version control so you can spot accidental rollbacks.
If you’re seeing the same “401 Unauthorized” surprise, the first thing to do is open the gateway config and verify that the JWT validation step is actually turned on.
How to Validate JWT Tokens in API Gateway (Kong, Apigee, AWS)
Below are the three snippets that got us back on track in minutes. I keep them in a gist on [Your Blog Name], so feel free to copy‑paste them straight into your setup.
Kong
- Add the JWT plugin to your service:
plugins:
- name: jwt
config:
claims_to_verify:
- exp
- nbf
- Register your public key (or JWKS URL):
curl -i -X POST http://localhost:8001/services/<service>/plugins \
--data "name=jwt" \
--data "config.key_claim_name=iss" \
--data "config.secret_is_base64=true" \
--data "config.secret=<YOUR_PUBLIC_KEY>"
That’s the how to configure jwt authentication in kong api gateway part you’ve been looking for. Save, reload Kong, and you’ll see requests with missing or expired tokens get a 401 instantly.
Apigee
- Create a JWT verification policy in your proxy’s pre‑flow:
<JWTVerification name="Verify-JWT">
<Algorithm>RS256</Algorithm>
<PublicKey>{YOUR_PUBLIC_KEY}</PublicKey>
<Subject>sub</Subject>
<Audience>your-audience</Audience>
</JWTVerification>
- Attach the policy to the request flow:
<Flow name="Default">
<Request>
<Step>
<Name>Verify-JWT</Name>
</Step>
</Request>
</Flow>
Apigee will now reject any request that fails jwt validation api gateway microservices checks, returning a clean 401 response.
AWS API Gateway
-
In the console, go to Authorizers and create a new JWT authorizer.
-
Set the token source to
Authorizationheader, paste your JWKS URL, and choose the audience you expect. -
Attach the authorizer to the routes that need protection.
That’s the core of api gateway jwt token verification best practices – keep the JWKS URL secret, limit the audience, and always test with an expired token to confirm the 401 path works.
Paste each snippet, hit save, and watch the errors disappear. No extra services, no custom code – just the built‑in features each gateway already offers.
Wrap up & Thoughts
Now your services talk like they’re supposed to, no more token guessing games at odd hours. By making sure your gateway actually validate jwt tokens in api gateway, you lock down the whole microservice chain with a single line of config.
If this quick guide saved you a few headaches, consider subscribing to the [Your Blog Name] newsletter for more bite‑sized API tricks. And hey, if you think a colleague could use the same fix, go ahead and share the post.
- →
- →
- →