Version: ACE 5

Secure Dynamic APIs

info

JWT validation is available starting from ACE 25.5.0. It is turned on by default starting from ACE 25.6.0.

Overview

By default, ACE production APIs are secured and require authentication for access. To call these APIs, clients must include an Authorization header with a Bearer token in their requests:

Authorization: Bearer <your_token_here>

To enable token validation and grant access to the APIs, it is necessary to configure the ACE runtime server JWT validation.

All Dynamic APIs running in production mode are protected by default. However, it is possible to expose selected APIs publicly.

To make an API public, you must explicitly enable this option by checking the "Public" checkbox in API properties.

Configuration

There are two ways to configure the key used to validate a JWT token - manual or remote.

All configuration variables are optional, but it is strongly recommended to provide issuer (ACE_JWT_VALIDATION_OPENID_ISSUER) and audience (ACE_JWT_VALIDATION_AUDIENCE) along the other necessary variables.

Manual

If secret or public key (ACE_JWT_VALIDATION_SECRET) is provided manually, it is also necessary to specify algorithm (ACE_JWT_VALIDATION_ALGORITHM).

In this case ACE does not attempt to retrieve it from a remote source.

Remote

If secret is not specified, then ACE attempts to retrieve the key from a remote source.

In this case it is necessary to provide OpenID issuer URL (ACE_JWT_VALIDATION_OPENID_ISSUER). In case of Keycloak it is Keycloak realm URL (https://<keycloak-url>/realms/<keycloak-realm>).

note

The URL used to retrieve the key is ${ACE_JWT_VALIDATION_OPENID_ISSUER}/.well-known/openid-configuration

Overview​

Configuration​

Manual​

Remote​

Overview

Configuration

Manual

Remote