JWT Validation
Security reference pages are precise for a reason. Treat changes here as trust-boundary changes, not routine config tweaks.
Requests that use bearer tokens are validated by the gateway before the backend sees them.
In plain language, this is the normal bearer-token path. A request sends a Firebase token, Envoy checks it first, and bad tokens are rejected immediately.
This path is separate from the HMAC device-signature path used by mobile requests that send X-Token.
SecurityPolicy Resource
The SecurityPolicy is attached to the public-edge gateway and validates Authorization: Bearer tokens.
If the resource name is unfamiliar, the practical meaning is simple: it is the gateway rule that enforces bearer-token validation before requests are forwarded.
It does three things:
- Validates tokens against Firebase's JWKS endpoint
- Valid tokens are forwarded to the orchestrator with claims extracted
- Invalid or expired tokens are rejected with 401 before reaching any backend service
Firebase JWKS Endpoint
JWKS is the public-key document Firebase publishes so other systems can verify token signatures.
Envoy fetches those public keys from Firebase's standard JWKS URL so it can tell whether the token was really issued by Firebase.
Key rotation is handled automatically by the JWKS protocol. Envoy caches keys and refreshes them when a token presents an unknown kid.
JWT and HMAC: Mutually Exclusive
There are two authentication paths, and each request should use only one:
| Path | Header | Validated By | Use Case |
|---|---|---|---|
| HMAC | X-Token + X-Signature + other X-* headers | WASM filter + orchestrator middleware | Mobile clients |
| JWT | Authorization: Bearer <token> | Envoy SecurityPolicy | Backend tooling, service-to-service |
The WASM HMAC filter skips any request that carries an Authorization: Bearer header. The SecurityPolicy handles those independently.
This means:
- A request with
X-Tokengoes through HMAC validation (WASM filter + orchestrator) - A request with
Authorization: Bearergoes through JWT validation (SecurityPolicy) - A request with neither is rejected
- A request should not send both; behavior is undefined if both are present
🔗 Terms On This Page
If a term below is unfamiliar, open its glossary entry. For the full list, go to Internal Glossary.
- Firebase JWT: The signed Firebase identity token used to authenticate a user request.
- JWKS: The public-key document a provider publishes so other systems can verify token signatures.
- SecurityPolicy: The gateway rule that validates bearer tokens before traffic reaches the backend.
- HMAC: A shared-secret signature scheme used to prove a request came from a trusted client.