OIDC / OAuth2 Auth

Any Identity Provider.
Zero Backend Changes.

Validate JWT Bearer tokens from Auth0, Google, Keycloak, Okta, or any OIDC-compliant provider at the gateway. Your backend receives verified claims as headers — no SDK, no middleware, no code changes.

Authentication Flow

Client

Authorization: Bearer <token>

Nolxy Gateway

Fetch JWKS → Verify signature, issuer, audience, expiry

Your Backend

X-User-Id: 123 · X-User-Email: [email protected]

Works With Any OIDC Provider

If it has a /.well-known/openid-configuration endpoint, it works.

Auth0
Google
Keycloak
Okta
Azure AD
AWS Cognito
+ any OIDC provider

Supported Algorithms

Asymmetric only — HS256 is intentionally not supported (insecure for gateway auth)

RS256RS384RS512ES256ES384ES512

Security Details

Public key verification

No shared secrets ever leave your identity provider.

Automatic Key Rotation

On kid miss, JWKS cache is invalidated and fresh keys are fetched. Handles provider key rotation with zero downtime.

Claim Injection

Forward any JWT claim (sub, email, roles, custom) as upstream headers. Dot notation for nested claims.

Scope Enforcement

Require specific OAuth2 scopes. Requests missing required scopes receive 403 before reaching your backend.

JWKS Caching

Keys are cached automatically and refreshed on rotation. Validation adds <0.1ms overhead.

Clock Skew Tolerance

Configurable clock skew (default 30s) to handle minor time differences between issuer and gateway.

Add SSO to Any API in Minutes

OIDC / OAuth2 Auth is available on higher-tier plans. Configure issuer, audience, and claim mappings per-route in your dashboard.