All Products
Search
Document Center

Edge Security Acceleration:API token compliance validation

Last Updated:Oct 30, 2025

Create API token validation rules by configuring JSON Web Token (JWT) validation policies and applying them to your managed APIs. ESA then validates incoming requests against these tokens to secure your business APIs.

Configure an API token rule

  1. In the ESA console, go to Websites. In the Website column, click the target website.

  2. In the left navigation pane, go to Security > API Security.

  3. On the API Security page, click the API Rules tab, and then click Token Configuration.image

  4. Click Add to add a token configuration.image

  5. Configure the token parameters as required, and then click OK:

    • Name: Enter a custom name for the token, such as JWT-Demo.

    • Token Location: Select the location of the token in the request. Choose Header or Cookie and then enter the key.

      Note

      To check for tokens in different locations, you can click Or to create a logical OR condition. You can check up to four token locations simultaneously.

    • Token Key: Enter a token key manually or upload a JSON file. For more information about key requirements, see Token details.

      Note

      If you configure multiple keys, ESA uses the kid field to select a key for validation. The request is considered valid if it is validated by any one of the keys.

    image

  6. After you configure the token, create an API rule. Go back to the API Rules tab and click Add Rule.image

  7. Configure the token validation parameters as needed:

    • Rule Name: Enter a rule name, such as rule-jwt-demo.

    • Validate API: From the drop-down list, select the hostname that hosts the APIs you want to validate. ESA will automatically display a list of managed APIs under that hostname. Select the target API from the list.

    • Select Token Configuration: Select one or more tokens to validate. If you select multiple tokens, choose one of the following options:

      • Validate at least one: The request must match at least one of the selected token configurations. Otherwise, the request is marked as non-compliant.

      • Validate all: The request must match all selected token configurations. Otherwise, the request is marked as non-compliant.

        Note

        By default, a request is marked as non-compliant if a token is missing. To change this behavior, you can select Ignore from the drop-down list in the If No Token column.

    • Action: Select an action for requests that fail token validation:

      • Monotor: Allows non-compliant requests and records a log. For more information, see Events.

      • Block: Blocks non-compliant requests and records a block log. For more information, see Events.

    image

Verify the results

After you create the API rule, in left the navigation pane, choose Security > Events. On the Events page, use the filter to set the protection rule to API Rule. Scroll down to view detailed mitigation logs in the Sampling Logs section.

Token details

Token validation is currently available only for JWTs.

Field descriptions

The public key must be in JSON Web Key (JWK) format. The JWK public key must contain the kid and alg fields. The fields are described as follows:

  • kty: The key type, such as EC for Elliptic Curve.

  • use: The intended use of the public key, such as sig for digital signature.

  • crv: The type of elliptic curve, such as P-256 for the NIST standardized P-256 curve.

  • kid: A custom key identifier, such as esa. The JWK must include the kid field to enable key selection. The JWT claim in the request must also include the kid field. This field is used for token key rotation.

  • x: The x-coordinate of the elliptic curve public key.

  • y: The y-coordinate of the elliptic curve public key.

  • alg: The algorithm identifier. Currently, only ES256 is supported, which is the ECDSA signature algorithm with SHA-256.

Example

{
  "kty": "EC",
  "use": "sig",
  "crv": "P-256",
  "kid": "esa",
  "x": "QG3VFVwUX4IatQvBy7sqBvvmticCZ-eX5-nbtGKBOfI",
  "y": "A3PXCshn7XcG7Ivvd2K_DerW4LHAlIVKdqhrUnczTD0",
  "alg": "ES256"
}

FAQ

What is a JWT?

A JWT is an open standard (RFC 7519) that defines a compact, self-contained method for securely transmitting information between parties as a JSON object. A JWT serves as a standalone identity verification token, containing information such as user identity, roles, and permissions for resource retrieval from a server. Additional claims required for specific business logic can be included. JWTs are particularly useful for logon scenarios in distributed sites.

A JWT consists of three parts: Header, Payload, and Signature. Each part is Base64-encoded, and the parts are combined to form a string in the format Header.Payload.Signature:

  • Header: Declares the token type (JWT) and the signing algorithm.

  • Payload: Contains claims, which are statements about an entity (such as a user) and additional data. Custom fields can be added as required by a system.

  • Signature: Used to verify the JWT sender's identity and ensure the message was not altered during transmission.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

How do I generate a JWT?

Generate private and public keys for token creation and validation at https://mkjwk.org:

  1. In a browser, go to https://mkjwk.org.

  2. Click the EC tab, configure the parameters, and then click Generate. In the Public Key section, click Copy to Clipboard to copy the public key.

    • Curve: Select P-256.

    • Key Use: Select Signature.

    • Algorithm: Select ES256: ECDSA using P-256 and SHA-256.

    • Key ID: Enter a custom key identifier, such as esa.

    • image