JWT Authentication

This feature is available only on the Enterprise Plan of Portkey.

Portkey supports JWT-based authentication in addition to API Key authentication. Clients can authenticate API requests using a JWT token, which is validated against a configured JWKS (JSON Web Key Set). This guide explains the requirements and setup process for JWT authentication in Portkey.

Validate JWT Token (Guardarail)

Validate your JWT Token before making a LLM request using Portkey.

Configuring JWT Authentication

JWT authentication can be configured under Admin Settings → Organisation → Authentication.

JWKS Configuration

To validate JWTs, you must configure one of the following:

JWKS URL: A URL from which the public keys will be dynamically fetched.
JWKS JSON: A static JSON containing public keys.

JWT Requirements

Supported Algorithm

JWTs must be signed using RS256 (RSA Signature with SHA-256).

Required Claims

Your JWT payload must contain the following claims:

Claim Key	Description
`portkey_oid` / `organisation_id`	Unique identifier for the organization.
`portkey_workspace` / `workspace_slug`	Identifier for the workspace.
`scope` / `scopes`	Permissions granted by the token.

User Identification

Portkey identifies users in the following order of precedence for logging and metrics:

email_id
sub
uid

Authentication Process

The client sends an HTTP request with the JWT in the x-portkey-api-key header:
```
x-portkey-api-key: <JWT_TOKEN>
```
The server validates the JWT:
- Verifies the signature using the JWKS.
- Checks if the token is expired.
- Ensures the required claims are present.
If valid, the request is authenticated, and user details are extracted for authorization and logging.
If invalid, the request is rejected with an HTTP 401 Unauthorized response.

Authorization & Scopes

Once the JWT is validated, the server checks for the required scope. Scopes can be provided in the JWT as either a single string or an array of strings using the scope or scopes claim.

Show Available Permission Scopes

Show Workspace Management

workspaces.read

string

View workspace details

workspaces.update

string

Modify workspace settings

workspaces.list

string

List available workspaces

Show Logs & Analytics

logs.export

string

Export logs to external systems

logs.list

string

List available logs

logs.view

string

View log details

logs.write

string

Create and modify logs

analytics.view

string

Access analytics data

Show Configurations

configs.create

string

Create new configurations

configs.update

string

Update existing configurations

configs.delete

string

Delete configurations

configs.read

string

View configuration details

configs.list

string

List available configurations

Show Virtual Keys

virtual_keys.create

string

Create new virtual keys

virtual_keys.update

string

Update existing virtual keys

virtual_keys.delete

string

Delete virtual keys

virtual_keys.duplicate

string

Duplicate existing virtual keys

virtual_keys.read

string

View virtual key details

virtual_keys.list

string

List available virtual keys

virtual_keys.copy

string

Copy virtual keys between workspaces

Show Workspace Users

workspace_users.create

string

Create new workspace users

workspace_users.read

string

View workspace user details

workspace_users.update

string

Update workspace user settings

workspace_users.delete

string

Remove users from workspace

workspace_users.list

string

List workspace users

Show Other

prompts.render

string

Render prompt templates

completions.write

string

Create and manage completions

Scopes can also be prefixed with portkey. (e.g., portkey.completions.write).

JWT tokens with appropriate scopes function identically to workspace API keys, providing access to workspace-specific operations. They cannot be used as organization API keys, which have broader administrative permissions across all workspaces.

Example JWT Payload

{
  "portkey_oid" : "org_123456",
  "portkey_workspace": "workspace_abc",
  "scope": ["completions.write", "logs.view"],
  "email_id": "user@example.com",
  "sub": "user-123",
  "exp": 1735689600
}

Making API Calls with JWT Authentication

Once you have a valid JWT token, you can use it to authenticate your API calls to Portkey. Below are examples showing how to use JWT authentication with different SDKs.

NodeJS
Python
cURL
OpenAI Python SDK
OpenAI NodeJS SDK

Install the Portkey SDK with npm

npm install portkey-ai

import Portkey from 'portkey-ai';

const client = new Portkey({
  apiKey: '<JWT_TOKEN>', // Use JWT token instead of API key
});

async function main() {
  const response = await client.chat.completions.create({
    messages: [{ role: "user", content: "Hello, how are you today?" }],
    model: "gpt-4o",
  });

  console.log(response.choices[0].message.content);
}

main();

Install the Portkey SDK with pip

pip install portkey-ai

from portkey_ai import Portkey

client = Portkey(
  api_key = "<JWT_TOKEN>" # Use JWT token instead of API key
)

response = client.chat.completions.create(
  model="gpt-4o",
  messages=[
    {"role": "system", "content": "You are a helpful assistant."},
    {"role": "user", "content": "Hello!"}
  ]
)

print(response.choices[0].message)

curl https://api.portkey.ai/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "x-portkey-api-key: <JWT_TOKEN>" \
  -d '{
    "model": "gpt-4o",
    "messages": [
      { "role": "user", "content": "Hello!" }
    ]
  }'

Install the OpenAI & Portkey SDKs with pip

pip install openai portkey-ai

from openai import OpenAI
from portkey_ai import createHeaders, PORTKEY_GATEWAY_URL

client = OpenAI(
    api_key="xx",
    base_url=PORTKEY_GATEWAY_URL,
    default_headers=createHeaders(
        api_key="<JWT_TOKEN>" # Use JWT token instead of API key
    )
)

completion = client.chat.completions.create(
  model="gpt-4o",
  messages=[
    {"role": "system", "content": "You are a helpful assistant."},
    {"role": "user", "content": "Hello!"}
  ]
)

print(completion.choices[0].message)

Install the OpenAI & Portkey SDKs with npm

npm install openai portkey-ai

import OpenAI from 'openai';
import { PORTKEY_GATEWAY_URL, createHeaders } from 'portkey-ai'

const openai = new OpenAI({
  apiKey: 'xx',
  baseURL: PORTKEY_GATEWAY_URL,
  defaultHeaders: createHeaders({
    apiKey: "<JWT_TOKEN>" // Use JWT token instead of API key
  })
});

async function main() {
  const completion = await openai.chat.completions.create({
    messages: [{ role: 'user', content: 'Say this is a test' }],
    model: 'gpt-4o',
  });

  console.log(completion.choices[0].message);
}

main();

Caching & Token Revocation

JWTs are cached until they expire to reduce validation overhead.

Introduction

Product

Support

Validate JWT Token (Guardarail)

Configuring JWT Authentication

JWKS Configuration

JWT Requirements

Supported Algorithm

Required Claims

User Identification

Authentication Process

Authorization & Scopes

Example JWT Payload

Making API Calls with JWT Authentication

Caching & Token Revocation

Introduction

Product

Support

Validate JWT Token (Guardarail)

​Configuring JWT Authentication

​JWKS Configuration

​JWT Requirements

​Supported Algorithm

​Required Claims

​User Identification

​Authentication Process

​Authorization & Scopes

​Example JWT Payload

​Making API Calls with JWT Authentication

​Caching & Token Revocation

Configuring JWT Authentication

JWKS Configuration

JWT Requirements

Supported Algorithm

Required Claims

User Identification

Authentication Process

Authorization & Scopes

Example JWT Payload

Making API Calls with JWT Authentication

Caching & Token Revocation