You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/api-shield/security/jwt-validation/index.mdx
+24-1Lines changed: 24 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,7 +50,6 @@ To automatically keep your JWKS up to date when your identity provider refreshes
50
50
51
51
### Add a JWT validation rule
52
52
53
-
54
53
<TabssyncKey="dashNewNav">
55
54
<TabItemlabel="Old dashboard">
56
55
<Steps>
@@ -104,6 +103,30 @@ If you expect to migrate between two different identity providers, you must crea
104
103
105
104
API Shield will verify JSON Web Tokens regardless of whether or not they have the `Bearer` prefix.
106
105
106
+
### Rate limit by user (JWT claim)
107
+
108
+
You can rate limit requests based on any claim inside of a JSON Web Token (JWT), such as registered claims like `aud` or `sub`, or custom claims like `userEmail` or nested custom claims like `user.email`.
109
+
110
+
Rate limiting based on JWT claim values will only work on valid JSON Web Tokens. If you do not block invalid JSON Web Tokens on your path, the [JWT claims will all be counted and possibly blocked](https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/#missing-field-versus-empty-value) if high traffic is detected in the Point of Presence (PoP).
111
+
112
+
You must also count the JWT claim that uniquely identifies the user. If you select a claim that is the same for many of your users, their rate limits will all be counted together.
113
+
114
+
### Rate limit by user tier
115
+
116
+
If you offer multiple tiers on your website or application and you want to enforce rate limiting based on the tiers, such as:
117
+
118
+
- If `"aud": "free-tier"`, rate limit to five requests per minute
119
+
- If `"aud": "premium-tier"`, rate limit to 50 requests per minute
120
+
121
+
You can follow the rate limiting rule example below:
122
+
123
+
```txt title="Rule example"
124
+
(http.request.method eq "GET" and
125
+
http.host eq "<YOUR_DOMAIN>" and
126
+
http.request.uri.path matches "</EXAMPLE_PATH>" and
JWT validation is available for all API Shield customers. Enterprise customers who have not purchased API Shield can preview [API Shield as a non-contract service](https://dash.cloudflare.com/?to=/:account/:zone/security/api-shield) in the Cloudflare dashboard or by contacting your account team.
0 commit comments