Validate JWT Bearer tokens from Auth0, Google, Keycloak, Okta, or any OIDC-compliant provider at the gateway. Your backend receives verified claims as headers — no SDK, no middleware, no code changes.
Client
Authorization: Bearer <token>
Nolxy Gateway
Fetch JWKS → Verify signature, issuer, audience, expiry
Your Backend
X-User-Id: 123 · X-User-Email: [email protected]
If it has a /.well-known/openid-configuration endpoint, it works.
Asymmetric only — HS256 is intentionally not supported (insecure for gateway auth)
RS256RS384RS512ES256ES384ES512No shared secrets ever leave your identity provider.
On kid miss, JWKS cache is invalidated and fresh keys are fetched. Handles provider key rotation with zero downtime.
Forward any JWT claim (sub, email, roles, custom) as upstream headers. Dot notation for nested claims.
Require specific OAuth2 scopes. Requests missing required scopes receive 403 before reaching your backend.
Keys are cached automatically and refreshed on rotation. Validation adds <0.1ms overhead.
Configurable clock skew (default 30s) to handle minor time differences between issuer and gateway.
OIDC / OAuth2 Auth is available on higher-tier plans. Configure issuer, audience, and claim mappings per-route in your dashboard.