Skip to content

TokenValidationRule

Source: src/Cloudflare/TokenValidation/Rule.ts

An API Shield JWT validation rule — selects operations/hosts on a zone and enforces a token validation expression with a log or block action.

A rule references a {@link TokenConfiguration} by UUID inside its expression (e.g. is_jwt_valid("<configId>")). Keep the rule depending on the configuration through its output so destroy order is rule first, configuration second.

JWT validation is an API Shield feature (Enterprise add-on) — accounts without the entitlement receive the typed TokenValidationNotEntitled error (Cloudflare code 10403) on every call.

All fields are patched in place; only zoneId forces a replacement.

Creating a Rule

Section titled “Creating a Rule”

Log requests with invalid JWTs

const rule = yield* Cloudflare.TokenValidationRule("LogInvalidJwt", {
  zoneId: zone.zoneId,
  action: "log",
  expression: Output.interpolate`is_jwt_valid("${config.configId}")`,
  selector: { include: [{ host: ["api.example.com"] }] },
});

Block invalid JWTs, excluding a public operation

yield* Cloudflare.TokenValidationRule("BlockInvalidJwt", {
  zoneId: zone.zoneId,
  action: "block",
  expression: Output.interpolate`is_jwt_valid("${config.configId}")`,
  selector: {
    include: [{ host: ["api.example.com"] }],
    exclude: [{ operationIds: [healthCheck.operationId] }],
  },
});

Updating a Rule

Section titled “Updating a Rule”
yield* Cloudflare.TokenValidationRule("BlockInvalidJwt", {
  zoneId: zone.zoneId,
  enabled: false,
  action: "block",
  expression: Output.interpolate`is_jwt_valid("${config.configId}")`,
  selector: { include: [{ host: ["api.example.com"] }] },
});