page_title: Use JWTs to verify requests to API gateways on Kubernetes
description: Learn how to use JSON web tokens (JWT) to verify requests from external clients to listeners on an API gateway on Kubernetes-orchestrated networks.
---
# Use JWTs to verify requests to API gateways on Kubernetes
This topic describes how to use JSON web tokens (JWT) to verify requests to API gateways deployed to Kubernetes-orchestrated containers. If your API gateway is deployed to virtual machines, refer to [Use JWTs to verify requests to API gateways on VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms).
You can configure API gateways to use JWTs to verify incoming requests so that you can stop unverified traffic at the gateway. You can configure JWT verification at different levels:
- Listener overrides: Define override settings in a GatewayPolicy resource that take precedence over default and route-specific configurations. Use override settings to set enforceable policies for listeners.
Create a `JWTProvider` CRD that defines the JWT provider to verify claims against.
In the following example, the JWTProvider CRD contains a local JWKS. In production environments, use a production-grade JWKs endpoint instead.
<CodeBlockConfig filename="jwt-provider.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: JWTProvider
metadata:
name: local
spec:
issuer: local
jsonWebKeySet:
local:
jwks: "<JWKS-Key>"
```
</CodeBlockConfig>
For more information about the fields you can configure in this CRD, refer to [`JWTProvider` configuration reference](/consul/docs/connect/config-entries/jwtprovider).
## Define a GatewayPolicy
Create a `GatewayPolicy` CRD that defines default and override settings for JWT verification.
- `spec.targetRef.group`: Specifies the resource group. Unless you have created a custom group, this should be set to `gateway.networking.k8s.io/v1beta1`.
- `spec.targetRef.override.jwt.providers`: Specifies a list of providers and claims used to verify requests to the gateway. The override settings take precedence over the default and route-specific JWT verification settings.
- `spec.targetRef.default.jwt.providers`: Specifies a list of default providers and claims used to verify requests to the gateway.
The following examples configure a Gateway and the GatewayPolicy being attached to it so that every request coming through the listener must meet these conditions:
- The request must be signed by the `local` provider
- The request must have a claim of `role` with a value of `user` unless the HTTPRoute attached to the listener overrides it
<Tabs>
<Tab heading="Gateway">
<CodeBlockConfig filename="gateway.yaml">
```yaml
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: api-gateway
spec:
gatewayClassName: consul
listeners:
- protocol: HTTP
port: 30002
name: listener-one
```
</CodeBlockConfig>
</Tab>
<Tab heading="GatewayPolicy">
<CodeBlockConfig filename="gateway-policy.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: GatewayPolicy
metadata:
name: gw-policy
spec:
targetRef:
name: api-gateway
sectionName: listener-one
group: gateway.networking.k8s.io/v1beta1
kind: Gateway
override:
jwt:
providers:
- name: "local"
default:
jwt:
providers:
- name: "local"
verifyClaims:
- path:
- role
value: user
```
</CodeBlockConfig>
</Tab>
</Tabs>
For more information about the fields you can configure, refer to [`GatewayPolicy` configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/gatewaypolicy).
- `spec.jwt.providers`: Specifies a list of providers and claims used to verify requests to the gateway. The override settings take precedence over the default and route-specific JWT verification settings.
In the following example, the RouteAuthFilter overrides default settings set in the GatewayPolicy so that every request coming through the listener must meet these conditions:
- The request must be signed by the `local` provider
For more information about the fields you can configure, refer to [`RouteAuthFilter` configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/routeauthfilter).
- `extensionRef.group`: Specifies the resource group. Unless you have created a custom group, this should be set to `gateway.networking.k8s.io/v1beta1`.
