Kong JWT Authentication Setup

@vishal1145

Your Kong setup will fail in production if you rely on the default JWT plugin alone—it doesn't handle revocation or custom claim validation, which means a stolen token stays valid until expiration even after a user logs out. To build this correctly, I need clarity on two things: What's your expected token refresh cadence (5-minute access tokens with 7-day refresh, or longer-lived sessions)? And are you running Kong in DB-less mode with declarative config, or do you have Postgres backing the control plane? The revocation strategy changes completely depending on your answer. Here's the architectural approach: - KONG PLUGIN DEVELOPMENT: Write a custom Lua plugin that intercepts requests, checks JWT signatures, queries your revocation store (Redis or Postgres depending on your mode), and injects custom claims as X-User-Role and X-Tenant-ID headers for upstream consumption. - TOKEN LIFECYCLE MANAGEMENT: Configure the jwt plugin with RS256 signing, 15-minute access token TTL, and implement a /refresh endpoint that validates refresh tokens stored in Postgres with a 7-day sliding window to prevent indefinite sessions. - REVOCATION LAYER: Build a Redis-backed blacklist with TTL matching token expiration so revoked JTIs auto-expire, eliminating the need for manual cleanup and keeping lookup time under 5ms even at 100K requests per minute. - KUBERNETES DEPLOYMENT: Package everything in a Helm chart with ConfigMaps for declarative routes, Secrets for RSA keypairs, and init containers that auto-migrate the Postgres schema on first boot. - TESTING HARNESS: Deliver a Postman collection with pre-request scripts that handle token refresh flows, plus a bash script that rotates signing keys by generating new RSA pairs and updating Kong's jwt_secrets table without downtime. I've built three similar Kong setups for fintech clients processing 50M API calls per month. Let's schedule a 15-minute call to walk through your current declarative config and confirm the revocation strategy before I start coding—I don't take on projects where the security model isn't bulletproof from day one.

@SmartCodeDev

Hello, I can implement end to end JWT authentication in Kong OSS with expiration control, revocation, and custom claims handling. I will configure the JWT plugin and extend it with a lightweight revocation layer using Redis or Postgres integrated through a custom plugin. Token expiration will be enforced at the gateway with configurable defaults and proper rejection of expired tokens. I will enrich tokens with custom claims, validate them in Kong, and forward them securely to upstream services via headers. The setup will be delivered with a docker compose or Kubernetes manifest for one command startup. I will provide curl or Postman scripts to demonstrate valid access, expiration failure, and revoked token rejection. A clear README will explain key rotation, claim validation rules, and configuration steps. Solution will remain fully within Kong OSS without enterprise features. Ready to start once repo access is shared.

@nadeemkhan7

Hello, I have carefully reviewed the requirements for the Kong JWT Authentication Setup project and I am confident in my ability to deliver a high-quality solution. I have over 12 years of experience in Amazon Web Services and have worked on similar projects in the past. I would like to discuss your exciting project further and understand your specific needs in more detail. Please feel free to connect with me in chat so we can explore how I can help you achieve your goals with this project. Looking forward to collaborating with you. Best regards, Nadeem

@loxtic

Hi, how are you doing? I’ve worked on JWT-based auth for API gateways and small custom plugins, and I’ve set up token lifecycles, revocation, and custom claims without pulling in Enterprise features. I can wire a lightweight Redis/Postgres revocation flow, expose tunable token expiry, and surface claims to upstream via headers, with a docker-compose or k8s manifest ready in one shot. I’ll include scripts to demonstrate login, token use, expiry, and revocation, plus a README explaining key rotation and claim rules. Let me know further if interested

@KarthikTechCon

Hi, I’m Karthik with 15+ years of experience in **API gateways, Kubernetes, and secure auth (JWT/OAuth)**. I can configure Kong’s **JWT plugin end-to-end** and ensure clean, reliable token validation across your routes. **My approach:** • Configure JWT plugin via **declarative config (YAML) or Admin API** • Set up **consumers + credentials** (public keys / shared secrets) • Align with your existing JWT issuer (algorithms, claims, headers) • Apply plugin to required services/routes **Validation & testing:** • Verify **valid tokens → request forwarded to microservices** • Invalid/missing tokens → proper **401/403 responses** • Test end-to-end within your Kubernetes staging setup **K8s & Kong setup:** • Update Kong config (Helm/Ingress/CRDs if used) • Ensure env vars, secrets, and configs are cleanly managed • Optional: enable **rate limiting + logging plugins** **Deliverables:** • Fully working JWT auth on Kong routes • Configured consumers + keys/secrets • Tested request flow (auth success/failure cases) • Clear README (setup, commands, manifests) **Experience:** Worked on API gateways (Kong/Nginx), microservices, and **secure auth pipelines in K8s environments**. I focus on **secure, reproducible, and production-ready setups**. Ready to start immediately and complete quickly.

@rohitpatidar001

With over 9 years of experience in developing web and enterprise applications, I possess the exact skills needed to tackle this project. My specialization in Spring Boot–based microservices and RESTful APIs aligns perfectly with your requirements of setting up Kong Gateway and customizing plugins for JWT.Authentication. Additionally, my proficiency in PostgreSQL makes me apt for configuring the token expiration management and revocation strategy using Redis or Postgres. Notably, my prior projects involved working with API security and validation, which provides me a firm grip over securing upstream services by using signed tokens.I can extend the existing jwt-claims-validation plugin or build you a custom plugin to enforce all necessary authentication flows. Moreover, I am well-versed with CI/CD pipelines and have extensive experience in Docker and Kubernetes that will allow me to smoothly deliver the acceptance criteria – a docker-compose or k8s manifest along with relevant scripts for successful testing of JWT-based authentication system. Furthermore, as evident from my background in working on critical platforms (finance, compliance, healthcare) I understand the significance of clean architecture, reliability, and long-term maintainability which will reflect in my code and ensure effortless future adjustments like rotating signing keys or modifying claim validation rules.

@fizaa170

Here is your bid: Kong OSS JWT end-to-end with revocation and custom claims — I've built custom Kong plugins before and this scope is clear. Token expiration configured at proxy layer with sensible defaults and tunable config Revocation strategy via Redis blacklist wired into a custom plugin — full call-flow documented Custom claims enriched on issued tokens, validated by Kong, forwarded to upstreams via headers Docker-compose or K8s manifest — one command spin-up Postman/curl scripts — login, token use, expiration failure, revoked token rejection all demonstrated README covering key rotation and claim validation rule updates Timeline: 7 Days Days 1–2: Expiration + plugin setup | Days 3–4: Revocation layer & Redis | Days 5–6: Custom claims & upstream headers | Day 7: Manifests, scripts & README Ready to start immediately. Let us talk. Are you currently using declarative config (deck) or admin API to manage Kong?

@jagratip3

Hi there, I can help you implement a full Kong Gateway JWT authentication layer (OSS-only) with clean token lifecycle control, custom claims handling, and secure upstream protection. Approach: I will build the solution directly within Kong’s plugin ecosystem using a mix of native JWT plugin configuration and a lightweight custom plugin where needed. The goal is to keep everything Kong-native, scalable, and easy to maintain. Key implementation plan: • JWT Authentication Layer Configure Kong JWT plugin for signature verification at the gateway level Ensure all upstream services are protected and unreachable without valid tokens Enforce strict token validation at the proxy layer • Token Expiration Management Define global and per-route TTL policies Validate expiry strictly via Kong before request proxying Make expiration settings configurable via declarative config (decK / YAML) • Token Revocation Strategy Implement Redis or Postgres-backed blacklist store Create custom Kong plugin (or extend JWT plugin logic) to check revoked tokens in real time Document full revocation flow (issue → revoke → deny) • Custom Claims Handling Inject required claims at token issuance layer Validate claims inside Kong plugin logic Forward trusted claims to upstream services via HTTP headers securely I am ready to start today and can deliver a production-grade, testable setup quickly. Best Regards, JP

@rishi9343

I will set up end-to-end JWT-based authentication for Kong Gateway, focusing on token expiration management, revocation, and custom claims, to protect upstream services with signed tokens, and deliver a docker-compose setup, Postman scripts, and a clear README for key rotation and claim validation, ensuring a stable and tested solution.

@laibatahir396

Hi there, As a DevOps engineer with deep experience in API gateways and secure microservice architectures, I can implement a robust end-to-end JWT authentication solution directly within Kong OSS, tailored to your requirements without relying on external IdPs. I will design and integrate custom or extended Kong plugins to handle token expiration, revocation (via Redis or Postgres-backed blacklist), and custom claims validation, ensuring all upstream services are securely protected and enriched with validated headers. The setup will include a fully reproducible docker-compose or Kubernetes deployment, along with Postman/cURL test scripts covering successful authentication, expiration handling, and revocation scenarios. Additionally, I’ll provide a clear README documenting key rotation, claim configuration, and operational workflows, ensuring your team can maintain and extend the solution Best Regards, Laiba

@SurbhiElectronet

Hi, I can help you implement a clean, production-ready JWT authentication flow directly within Kong OSS, including custom plugin logic where needed. I’ve worked with Kong Gateway, declarative configs, and JWT validation, and I’m comfortable extending plugins to handle custom claims, token revocation (Redis/Postgres), and strict expiration enforcement at the proxy layer. I’ll set this up end-to-end with a reproducible docker-compose or k8s setup, along with test scripts (Postman/curl) covering token issuance, validation, expiry, and revocation scenarios. Clear documentation will also be included for key rotation and future configuration changes. The focus will be on keeping the solution lightweight, secure, and fully aligned with Kong OSS capabilities. Happy to review your current config and get started. Best regards, Siddharth

@shahidhabib791

Hi there, I Hope This Proposle is Right Fit For Your Project. I have carefully read your job summary and understand you need a complete Kong OSS JWT authentication setup with custom logic for token lifecycle management. My understanding is that your core challenge is not just enabling JWT validation, but building a secure, production-ready flow including expiration handling, revocation mechanism, and custom claims propagation across upstream services. I can configure Kong using declarative/K8s setup, implement or extend plugins for token revocation (Redis/Postgres blacklist approach), enforce claim validation, and forward verified claims via headers to services. I will also prepare a one-command docker-compose/Kubernetes setup, along with Postman/curl tests for login, expiry, and revoked-token scenarios, plus a clear README for key rotation and rule updates. Best Regards Habib Ullah .

@aurvix

Your Kong JWT setup needs token expiration, revocation, and custom claims — all within OSS Kong, no external IdP. A common pitfall is leaking token validation logic across plugins; I'd centralize it in a single claims-validation plugin. In my mBART50 Translation API project, I built a custom FastAPI auth middleware with JWT expiration and Redis-based blacklisting under heavy traffic — same pattern applies here. My stack (Node.js, Docker, PostgreSQL, Python, PyTorch) maps directly to your requirements. I'd deliver in two milestones: first a working plugin with expiration and claims, then revocation with full test scripts and a README covering key rotation. Quick question — are you storing signing keys in Kong's vault or environment variables for rotation?

@alluankit01

Hi, I can set up Kong OSS with end to end JWT authentication, custom claim validation, expiration handling, and token revocation. I understand the focus is Kong Gateway itself, not an external IdP. I’ll review your current declarative config, protect the upstream services with JWT validation, define signing key rotation steps, configure token expiry behavior, and expose required user/custom claims to upstream services through headers. For revocation, I can implement a lightweight Redis or Postgres blacklist approach through a custom Kong plugin or an extension around claim validation, then provide the exact call flow for rejecting revoked tokens at the proxy layer. I’ll deliver docker-compose or Kubernetes manifests, updated Kong config, plugin code if needed, Postman/curl examples for valid, expired, and revoked tokens, plus a clear README for future tuning. Best regards Ankit

@donutello18

Hi, this project fits well with my backend and API experience, especially working with Node.js, PostgreSQL, and containerized environments. I understand that the focus is on implementing JWT authentication directly within Kong OSS, including custom plugin development and secure token handling. I can design a robust setup covering token expiration, a lightweight revocation strategy using Redis or PostgreSQL, and custom claims validation with headers forwarded to upstream services. I’ll ensure everything is reproducible via Docker Compose or Kubernetes, along with clear curl/Postman test flows demonstrating token lifecycle scenarios. You’ll also get a clean README covering key rotation, configuration, and future extensibility. I focus on building secure, maintainable systems—not just making things work—and I’m ready to get started right away.

@hinak04

"I have thoroughly reviewed your project and understand exactly what you need. With my proven experience in similar tasks, I can deliver high-quality, accurate, and professional results. I focus on clear communication, quick turnaround, and client satisfaction. I am confident I can complete this project efficiently and exceed your expectations. Let’s get started!"