# Authenticate via JWT

A JSON Web Token (JWT) (An open, industry standard typically used for authorization and information exchange.) is an open, industry standard ([RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519)) that defines a compact and self-contained method for securely transmitting information between parties as a JSON object, which can be verified and trusted as it is digitally signed.

JWTs are useful for both authorization (the most common scenario for using a JWTs) and information exchange (where information can be securely transmitted between parties). SingleStore supports using JWTs for authentication. Refer to [JWT.io](https://jwt.io/) for more information.

## Use JWTs with the SingleStore and MySQL Clients

To use a JWT with the SingleStore client, replace the password with the JWT:

```shell
singlestore -u '*' -h $CLUSTER_HOSTNAME -P $CLUSTER_PORT --password=$JWT --ssl=TRUE --enable-cleartext-plugin
```

Similarly, to use a JWT with the MySQL client, replace the password with the JWT:

```shell
mysql -u '*' -h $CLUSTER_HOSTNAME -P $CLUSTER_PORT --password=$JWT --ssl=TRUE
```

Specify the username as `'*'` in the `-u` (`--user`) option in the SingleStore/MySQL client command line to retrieve the username to use for connecting with SingleStore from the JWT.

Refer to [Validate JWTs with JWKS](https://docs.singlestore.com/#section-idm4592227523569633070889883433.md) for more information.

> **📝 Note**: SingleStore also supports JWT-based authentication with [the SingleStore JDBC driver](https://docs.singlestore.com/db/v9.1/developer-resources/connect-with-application-development-tools/connect-with-java-jdbc/the-singlestore-jdbc-driver.md), [the SingleStore ODBC driver](https://docs.singlestore.com/db/v9.1/developer-resources/connect-with-application-development-tools/connect-with-odbc/the-singlestore-odbc-driver.md), and other client libraries that support cleartext (provided cleartext is enabled).

## About JWT Users

For the purposes of this document, a "JWT user" is a user that can authenticate with a JWT when connecting to a SingleStore cluster. Refer to [Create a JWT User](https://docs.singlestore.com/#section-idm4582152339497633042662275189.md) for more information.

For authenticating to SingleStore with a JWT:

* Clusters are configured to accept JWTs using [JSON Web Key Sets (JWKS)](https://docs.singlestore.com/#section-idm4592226252089633070902698635.md) or with the static `jwt-config` file. With JWKS, JWTs are matched to JSON Web Keys (JWKs) to validate the JWT. The JWK and JWT together specify the database username to use. With the static `jwt-config` file, JWTs are matched to keys based on the `alg` in the JWT. Both JWKS and `jwt-config` can be used at the same time. When they’re used together, JWTs are matched against JWKS first and will only be matched against the `jwt-config` file if there is no match to any JWK.

## Validate JWTs with JWKS

You can use JSON Web Key Sets (JWKS) (A set of keys containing public keys that can be used to authenticate any JWT.) to validate the signature of a signed JWT. JWKS are a set of keys which contain public keys that can be used to authenticate any JWT. JWKS is a standard to download a batch of JWKs from a URL.

JWTs are matched with JSON Web Keys (JWKs) for validation as follows:

* If the JWT has a `kid` (Key ID) field, the JWKs with matching `kid` fields are validated.
* If the JWT has a `kid` field that doesn’t match any JWK or `jwt_config` key, the authentication request is rejected. See [Validate JWTs with the `jwt-config`](https://docs.singlestore.com/#section-idm4592227550392033071214528769.md) for more information.
* If the JWT has an `iss` (Issuer) field (instead of a `kid` field) that matches the `kid` in one or more JWKs, the JWKs with matching `kid` fields are validated.
* If the JWT does not have a `kid` field and the `iss` field does not match the `kid` field in any JWK, then validation is attempted with all the JWKs with a matching `alg` (Algorithm) field. If the `alg` field is not specified, the `kty` (Key Type) field is used instead.

The JWTs signature is validated as follows:

* The JWT’s signature is validated against matching JWKs. If the JWT’s signature matches more than one JWK, validation is attempted against all matching JWKs. If the signature cannot be validated, the authentication request is rejected.
* If the matching JWK includes an `aud` (Audience) field which does not match the `aud` field in the JWT, then the authentication request is rejected. The `aud` field can be a string or an array of strings. If any `aud` string of the JWT matches any `aud` string of the JWK, it is considered a match.

  **Note**: If the `jwks_require_audience` variable is set (non-empty), the value of this variable must be present in the `aud` field in the JWT. If the `aud` field is an array, the value of this variable must be one of the items in the array.
* If the matching JWK does not define an audience (`aud`), audience checking is skipped. Note that `aud` is not a standard field in JWK.

The database username is identified as follows:

* When the `jwks_username_field` variable is set (non-empty), the value of this variable specifies the name of the JWT field that determines the database username. If this variable is set, all the other rules for identifying the database username are overridden/ignored.
* If the matching JWK has a `usernameFrom` field, the value of this JWK field is used to identify the name of the field in the JWT that determines the database username.
* If the JWK does not have a `usernameFrom` field, but the JWT has a `username` field, then the `username` field determines the database username.
* If the JWK does not have a `usernameFrom` field and the JWT does not have a `username` field, then the `sub` field in the JWT determines the database username.

> **📝 Note**: The database username in the JWT, once determined, must exactly match the database username used in the connection attempt. Otherwise, authentication is rejected.

## Configure JWKS

To authenticate using JWKS, build a JWKS configuration file that contains your public keys and serve it from your Web server via static URL.

SingleStore supports the following public key signature algorithms: RS256, RS384, RS512, ES256, ES384, and ES512.

Perform the following tasks to configure JWKS.

1. Configure the certificate authority used to validate the TLS transfer of the JWKS using SSL.

   This step should be performed only if you are using self-signed certificates. If you are not using self-signed certificates then start with step 2.

   1. Install a public key certificate corresponding to your TLS encryption certificate authority that secures the HTTP SSL transfers.

   2. Run the following command to specify the certificate file:
      ```sql
      SET GLOBAL jwks_ssl_ca_certificate='/path/to/certificate-filename.pem'
      ```

2. Configure the JWKS endpoint.
   ```sql
   SET GLOBAL jwks_endpoint='https://example.com/.well-known/jwks.json'
   ```
   Updating the endpoint configuration triggers a JWKS update and validation. The `SET GLOBAL` command returns an error if:

   * The `GET` request fails.
   * There are no valid keys in the updated JWKS.

   A warning is generated if any JWKS is rejected, even if the JWKS has valid keys. Information on rejected keys is available in the audit log.

To disable JWKS updates, set the endpoint to an empty string.

```sql
SET GLOBAL jwks_endpoint=''
```

Optionally, you can set a refresh interval to update the JWKS configuration automatically (specify the value in seconds).

```sql
SET GLOBAL jwks_update_interval = 3600
```

If this value is not set, or set to `0`, the JWKS configuration updates only when the `SET GLOBAL jwks_endpoint` command is run. To manually refresh the JWKS configuration, run the `SET GLOBAL jwks_endpoint` command with its existing value.

## JWKS Update Status

To check the status of the most recent JWKS update, use the `SHOW STATUS EXTENDED` command. It provides the following information:

* `JWKS_update_status`: Specifies the status of the update. The status can be one of the following: `SUCCESS`, `FAILED`, or `DISABLED`. The `FAILED` status is followed by the reason behind the failure, in parenthesis.
* `JWKS_update_time`: Specifies the timestamp of JWKS update.
  ```sql
  SHOW STATUS EXTENDED LIKE 'JWKS_update%';

  ```
  ```output

  +--------------------+-----------------------------------------------------------------------+
  | Variable_name      | Value                                                                 |
  +--------------------+-----------------------------------------------------------------------+
  | JWKS_update_status | FAILED (Failed to connect to localhost port 8082: Connection refused) |
  | JWKS_update_time   | Mon May  2 14:03:08 2022 EST                                          |
  +--------------------+-----------------------------------------------------------------------+
  ```

## Validate JWTs with the `jwt-config`

The `jwt-config` file supports only one key per algorithm: RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384, ES512.

The `username_claim` field specifies the field in the JWT that is used to obtain the database username. The database username must match the username in the connection string.

The name of this static configuration file is passed to the engine at startup using the `jwt_auth_config_file` variable. Alternatively, it can be set with using the following command:

```sql
SET GLOBAL jwt_auth_config_file='filename.json'
```

The static JWT configuration is only read when the cluster restarts. Here's a sample `jwt-config` file:

```json
{
    "username_claim": "email",
    "methods": [
        {
            "algorithms": [ "RS256" ],
            "secret": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs7t1xiasxa7uSvtMZ8+MtRSiRnxHBEQfLcssxWV7NEvkJTOhAn1KYyM8nMzh4H356aUwCYrOtekjIMmkuBljhic1LQ7kmjdzRc2M/qBXFlD4C9+OxwDtE2tTEHbO/dKuLFSTVGdGVvyLMJIE08hc6ri7xGi1PSYgxH85u7vWB6p43VgHpRH/iJBw6BLBTyfBfgAtbsD8AHm8Ucf8zIPhOVO7gTUqAopbV23eyuzLHFRtXuyDQzkQc8PY0hkHlnlJkDfr0SBgxr1+jPPt7VmrtXIlzNMfbsI5SkLMfoVmXLTqeC8UDA/C8ayWCDh+2a2zuQF0bZSSr1Y9pKDvojTbEQIDAQAB\n-----END PUBLIC KEY-----"
        },
        {
            "algorithms": [ "ES512" ],
            "secret": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEQinMHQNolwDsI8/o0Ou3joss0m7n5MPR\n59ckzQELU+KDdSNJkTO/DVV6S9SpBoMVJ02hl3SQmZTZwy4cNtDHFVtD1UR6E9J8\naFbvsAi8PvSwaQ4ZP0mxgaEzpXfIH30+\n-----END PUBLIC KEY-----"
        }
    ]
}
```

## Create a JWT User

> **📝 Note**: Creating JWT users is only supported in SingleStore clusters running SingleStore v7.8.3 and later.

You can manually create a JWT user using the following command:

```sql
CREATE USER 'email@example.com'@'%' IDENTIFIED WITH authentication_jwt REQUIRE SSL;
```

where:

* `email@example.com` is the JWT user’s username. As of SingleStore version 8.1.5, you may also create a JWT user with a username that resembles an email address or a UUID.
* The maximum length of a JWT user’s username is 320 characters.
* `IDENTIFIED WITH authentication_jwt` sets the user’s authentication method to use a JWT.
* `REQUIRE SSL` (mandatory) enforces the use of SSL for the JWT connection.

***

Modified at: May 22, 2026

Source: [/db/v9.1/security/authentication/authenticate-via-jwt/](https://docs.singlestore.com/db/v9.1/security/authentication/authenticate-via-jwt/)

(An index of the documentation is available at /llms.txt)