Hello, I am using JWT to protect several APIs exposed to a mobile app; the JWT token is released by an authentication API and it embeds the user_id of the authenticated user of the app.
This user_id variable should be accessible by other protected APIs, and they should be able to get this variable from the JWT token only (and not as a regular input parameter) for security reasons.
Question: is it possible to enrich / transform the request to a JWT-protected API with data coming from the JWT itself?
Is there a way to access JWT data like: ${tyk_meta.jwt.user_id} in order to use it in request transform?
Not yet - it’s an interesting idea though, at the moment the only meta data inserted into the generated token is the underlying token ID (so you can look it up):
We’ll mull it over, I worry about the data getting stale as the data needs to be carried by the underlying session token, and since this only gets created once, the data could get stale.
Ok I see.
But does the actual JWT get passed to the API via Authorization header?
If so, the API itself would be able to get the data in the JWT payload.