## Kong Gateway JWT backend protection

The [Kong API Gateway](https://konghq.com/) is a powerful tool for managing traffic to your cluster. By using the [Kong JWT plugin], you can validate requests to your API to ensure they are authenticated.

Using Kong plugins
This guide assumes you have already installed the Kong JWT plugin. Below is the configuration for using this plugin.

### Step 1: Create a service

To create a service, run the following command:


```
curl -i -f -X POST http://localhost:8001/services     --data "name=my-cool-service"     --data "url=http://httpbin.org"
```

br
### Step 2: Create a route on Kong

Next, create a route for your service:


```
curl -i -f -X POST http://localhost:8001/routes     --data "service.id={my-cool-service's id}"     --data "paths[]=/test"
```

br
### Step 3: Add the JWT plugin to the route

Add the JWT plugin to the route:


```
curl -X POST http://localhost:8001/route/{route id}/plugins     --data "name=jwt"
```

br
### Step 4: Create the Kong consumer

To create a Kong consumer, use the REST API:


```
curl -d "custom_id=SOME_CONSUMER_ID" http://kong:8001/consumers/
```

br
### Step 5: Copy the JWT public key from the Frontegg portal

1. On the **Frontegg portal** Go to [ENVIRONMENT] ➜ Configurations ➜ Security ➜ JWT.
2. Navigate to the **JWT signature** tab, copy the public key.


![kong-gateway-1](/assets/kong-gateway-1.39198ec84db235a7168f845ba6bf8265e32f23e1eff81ffc4bf1843e85d301a3.97d793c5.png)

### Step 6: Create a new RS256 JWT credential

Now, create an RS256 JWT credential using the copied public key:


```
curl -i -X POST http://localhost:8001/consumers/{consumer}/jwt     -F "algorithm=RS256"     -F "rsa_public_key=[THE-PUBLIC-KEY-FROM-THE-PORTAL]"     -F "key=https://{workspace-url}.frontegg.com/" # the `iss` field
```

br
Issuer validations
The configuration above validates that the issuer (iss claim) of the JWT is the Frontegg workspace domain. The iss claim validation is enabled by default in the Kong JWT plugin.

### Testing

To test your configuration, call the test endpoint with a JWT signed by Frontegg:


```
curl -i http://localhost:8000/test     -H "Host:example.com"     -H "Authorization:Bearer <TOKEN-FROM-FRONTEGG>"
```

br