Managing JWT Security
Last updated
Was this helpful?
Last updated
Was this helpful?
If you are using the model of authentication to secure your NATS infrastructure or implementing an service, you can administer authentication and authorization without having to change the servers' configuration files.
You can use the CLI tool to manage identities. Identities take the form of nkeys. Nkeys are a public-key signature system based on Ed25519 for the NATS ecosystem. The nkey identities are associated with NATS configuration in the form of a JSON Web Token (JWT). The JWT is digitally signed by the private key of an issuer forming a chain of trust. The nsc tool creates and manages these identities and allows you to deploy them to a JWT account server, which in turn makes the configurations available to nats-servers.
You can also use CLI tool and library to manage keys.
You can create, update and delete accounts and users programmatically using the following libraries:
Golang: see and .
Java: see and
You can integrate NATS with your existing authentication/authorization system or create your own custom authentication using the .
See under "Authentication and Authorization" for JWT and Auth callout server implementation examples.
Golang example from https://natsbyexample.com/examples/auth/nkeys-jwts/go
You can see the key (and any signing keys) of your operator using nsc list keys --show-seeds, you should use a 'signing key' to create the account JWTs (as singing keys can be revoked/rotated easily)
The system is just like any other account, the only difference is that it is listed as system account in the operator's JWT (and the server config).
To delete accounts use the "$SYS.REQ.CLAIMS.DELETE" (see ) and make sure to enable JWT deletion in your nats-server resolver (config allow_delete: true in the resolver stanza of the server configuration).