Auth Configuration
Configure how the gateway validates JWT tokens on protected routes.
Options
config:
auth:
secret: "your-hs256-secret"
jwksUrl: "https://provider.com/.well-known/jwks.json"
algorithm: RS256
defaultProtected: true
authService: localhost:5000
authPath: /auth/validate
| Field | Type | Default | Description |
|---|---|---|---|
secret | string | — | Shared secret for HS256 validation |
jwksUrl | string | — | JWKS endpoint for RS256/ES256 validation |
algorithm | string | — | Algorithm hint (optional) |
defaultProtected | bool | false | Require auth on all routes by default |
authService | string | — | Host for auth delegation |
authPath | string | /validate | Endpoint path on the auth service |
Three Modes
Tainha supports three auth modes. If multiple are configured, this priority applies:
| Mode | Config | Best for |
|---|---|---|
| Local JWT | secret | Prototyping, simple apps |
| JWKS | jwksUrl | Auth0, Keycloak, Firebase, Cognito |
| Delegation | authService | Custom auth logic, any strategy |
Default Protected
When defaultProtected: true, all routes require authentication unless marked public: true:
config:
auth:
secret: "my-secret"
defaultProtected: true
routes:
- method: GET
route: /products
public: true # ← No auth needed
- method: GET
route: /orders # ← Auth required (default)
When defaultProtected: false (the default), routes are public unless you add auth middleware yourself.
Validation
The gateway fails fast on startup if:
defaultProtected: truebut none ofsecret,jwksUrl, orauthServiceis set- Both
authServiceandjwksUrlare set (only one is used —authServicewins)