Tyk with JWT: Using an RSA key


I’ve been able to get JWT authentication in Tyk working using an HMAC secret. However, I want to use RSA encryption ideally.

I am working with Tyk latest version Community Edition on Ubuntu 22.04

I generated an RSA keypair as follows:

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key

then to get the public key in the correct format:

openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub

I then base64 encoded the private key:

cat jwtRS256.key | base64 -w 0

and added:

"jwt_signing_method": "rsa",
"jwt_source": "...{base64 encoded private key}"

to my API definition.

I then generated a JWT with the correct policy ID set at https://jwt.io using the RS256 algorithm option. This is encoded correctly on that site and the signature is verified.

However, when I try to authenticate in Tyk I get the following errors in the log:

Mar 24 15:25:15 vmi1225482 tyk[502]: time="Mar 24 15:25:15" level=info msg="Attempted JWT access with non-existent key." api_id=1 api_name=image-operations-api mw=JWTMiddleware org_id=1 origin=x.x.x.x path="/images/images"
Mar 24 15:25:15 vmi1225482 tyk[502]: time="Mar 24 15:25:15" level=error msg="JWT validation error" api_id=1 api_name=image-operations-api error="Failed to decode JWT key" mw=JWTMiddleware org_id=1 origin=x.x.x.x path="/images/images"

What am I doing wrong? If someone could help me to get the correct procedure for making RSA-based JWT authentication working, I’d be grateful.

Hi @notnow123,

The bit where you encode the private key and set as the “jwt_source”? You should be encoding and setting the public key, not the private key.