Skip to main content

Rego's JWT Built-in Functions

While OPA isn't responsible for issuing JWT tokens, Rego policies commonly operate on HTTP requests which are authenticated using JWT tokens. Because of this, it's important that Rego has native functionality to decode and verify the contents of JWT tokens in order to enforce additional authorization logic on requests.

Tokens often contain information about a user, which can be useful when writing authorization policies. Other information contained in a token's claims can include:

  • Email or user ID. This can be used to look up the user in other datasets.
  • Roles or groups. Often used for role-based access control.
  • Locale, language and location. This can be used to enforce regional restrictions or provide localized messages.

Tokens can also contain any number of custom claims that are specific to your organization and use case.


Remember that JWT tokens must be verified before being trusted. Using io.jwt.decode() alone is not enough without also verifying the token's signature. io.jwt.decode_verify() is the recommended function to use as it both decodes and verifies the token while supporting a wide range of signature algorithms.