Inject JWT data in API transform

Hello, I am using JWT to protect several APIs exposed to a mobile app; the JWT token is released by an authentication API and it embeds the user_id of the authenticated user of the app.
This user_id variable should be accessible by other protected APIs, and they should be able to get this variable from the JWT token only (and not as a regular input parameter) for security reasons.

Question: is it possible to enrich / transform the request to a JWT-protected API with data coming from the JWT itself?
Is there a way to access JWT data like: ${tyk_meta.jwt.user_id} in order to use it in request transform?

Best regards
Roberto

Hi Roberto,

Not yet - it’s an interesting idea though, at the moment the only meta data inserted into the generated token is the underlying token ID (so you can look it up):

https://github.com/TykTechnologies/tyk/blob/master/middleware_jwt.go#L257

We’ll mull it over, I worry about the data getting stale as the data needs to be carried by the underlying session token, and since this only gets created once, the data could get stale.

M.

Ok I see.
But does the actual JWT get passed to the API via Authorization header?
If so, the API itself would be able to get the data in the JWT payload.

Best Regards
Roberto

Yes, Tyk doesn’t mess with the request, it just caries a context, the JWT remains intact

Any news on this issue? I want to use the payload to redirect a request to a specific instance of my API. Is currently a way to do so?

I actually find my answer, as the whole request will be sent to your api, you can easily use the payload