Skip to content

TokenConfiguration

Source: src/Cloudflare/TokenValidation/Configuration.ts

An API Shield JWT validation token configuration — the JWKS key material and token source locations used to validate JSON Web Tokens on a zone.

A configuration holds a set of public JWKs (keys) plus the request fields where the token is found (tokenSources). Rules ({@link TokenValidationRule}) then reference the configuration by UUID in their expression (e.g. is_jwt_valid("<configId>")) to enforce validation on selected hosts/operations.

JWT validation is an API Shield feature (Enterprise add-on) — accounts without the entitlement receive the typed TokenValidationNotEntitled error (Cloudflare code 10403) on every call.

Title, description, and token sources are patched in place; the key set is rotated in place via the credentials endpoint. Only zoneId and tokenType force a replacement.

Creating a Configuration

Section titled “Creating a Configuration”
const config = yield* Cloudflare.TokenConfiguration("ApiJwt", {
  zoneId: zone.zoneId,
  tokenSources: ['http.request.headers["authorization"][0]'],
  keys: [
    {
      kty: "RSA",
      alg: "RS256",
      kid: "key-2026-01",
      n: "<base64url modulus>",
      e: "AQAB",
    },
  ],
});

Rotating Keys

Section titled “Rotating Keys”
// Changing `keys` PUTs the full key set to the credentials endpoint —
// the configuration (and its UUID) stays in place.
const config = yield* Cloudflare.TokenConfiguration("ApiJwt", {
  zoneId: zone.zoneId,
  tokenSources: ['http.request.headers["authorization"][0]'],
  keys: [oldKey, newKey],
});

Enforcing Validation

Section titled “Enforcing Validation”
yield* Cloudflare.TokenValidationRule("RequireJwt", {
  zoneId: zone.zoneId,
  action: "block",
  expression: Output.interpolate`is_jwt_valid("${config.configId}")`,
  selector: { include: [{ host: ["api.example.com"] }] },
});