Secure Endpoint Using the Ory Reverse Proxy
This command starts a reverse proxy which can be deployed in front of your application.
To require login before accessing paths in your application, use the --protect-path-prefix flag:
The --protect-path-prefix flag is currently using a string prefix match. Future versions will include support for regular expressions and glob matching.
If the request is authenticated, a JSON Web Token will be sent in the HTTP Authorization Header containing the Ory Session:
The JSON Web Token claims contain:
- The "sub" field which is set to the Ory Identity ID.
- The "session" field which contains the full Ory Session.
The JSON Web Token is signed using the ES256 algorithm. The public key can be found by fetching the /.ory/jwks.json path when calling the proxy - for example http://127.0.0.1:4000/.ory/jwks.json
An example payload of the JSON Web Token is:
- ory - The ORY CLI