Create API token validation rules by configuring JSON Web Token (JWT) validation policies and applying them to your managed APIs. ESA then validates incoming requests against these tokens to secure your business APIs.
Configure an API token rule
In the ESA console, go to Websites. In the Website column, click the target website.
In the left navigation pane, go to .
On the API Security page, click the API Rules tab, and then click Token Configuration.

Click Add to add a token configuration.

Configure the token parameters as required, and then click OK:
Name: Enter a custom name for the token, such as
JWT-Demo.Token Location: Select the location of the token in the request. Choose Header or Cookie and then enter the key.
NoteTo check for tokens in different locations, you can click Or to create a logical
ORcondition. You can check up to four token locations simultaneously.Token Key: Enter a token key manually or upload a JSON file. For more information about key requirements, see Token details.
NoteIf you configure multiple keys, ESA uses the
kidfield to select a key for validation. The request is considered valid if it is validated by any one of the keys.

After you configure the token, create an API rule. Go back to the API Rules tab and click Add Rule.

Configure the token validation parameters as needed:
Rule Name: Enter a rule name, such as
rule-jwt-demo.Validate API: From the drop-down list, select the hostname that hosts the APIs you want to validate. ESA will automatically display a list of managed APIs under that hostname. Select the target API from the list.
Select Token Configuration: Select one or more tokens to validate. If you select multiple tokens, choose one of the following options:
Validate at least one: The request must match at least one of the selected token configurations. Otherwise, the request is marked as non-compliant.
Validate all: The request must match all selected token configurations. Otherwise, the request is marked as non-compliant.
NoteBy default, a request is marked as non-compliant if a token is missing. To change this behavior, you can select Ignore from the drop-down list in the If No Token column.
Action: Select an action for requests that fail token validation:

Verify the results
After you create the API rule, in left the navigation pane, choose . On the Events page, use the filter to set the protection rule to API Rule. Scroll down to view detailed mitigation logs in the Sampling Logs section.
Token details
Token validation is currently available only for JWTs.
Field descriptions
The public key must be in JSON Web Key (JWK) format. The JWK public key must contain the kid and alg fields. The fields are described as follows:
kty: The key type, such asECfor Elliptic Curve.use: The intended use of the public key, such assigfor digital signature.crv: The type of elliptic curve, such asP-256for the NIST standardized P-256 curve.kid: A custom key identifier, such asesa. The JWK must include thekidfield to enable key selection. The JWT claim in the request must also include thekidfield. This field is used for token key rotation.x: The x-coordinate of the elliptic curve public key.y: The y-coordinate of the elliptic curve public key.alg: The algorithm identifier. Currently, onlyES256is supported, which is the ECDSA signature algorithm with SHA-256.
Example
{
"kty": "EC",
"use": "sig",
"crv": "P-256",
"kid": "esa",
"x": "QG3VFVwUX4IatQvBy7sqBvvmticCZ-eX5-nbtGKBOfI",
"y": "A3PXCshn7XcG7Ivvd2K_DerW4LHAlIVKdqhrUnczTD0",
"alg": "ES256"
}