Release date 2026/04/07
calls to the /rotate endpoint now enable certificate
verification by default when connecting to the configured endpoint to rotate
the keys.
The options access_token_endpoints_ssl_verify and
channel_token_endpoints_ssl_verify, which control SSL certificate
verification for signature verification and introspection endpoints, are now
enabled by default.
Release date 2025/12/18
added support to the tls_certificate_verify global option.
When this option is enabled the plugin’s flags related to certificate
verification cannot be disabled.
added the flags access_token_endpoints_ssl_verify
and channel_token_endpoints_ssl_verify to switch certificate verification
on the related fields.
Release date 2025/10/01
Added support for additional claim validations, including notbefore, issuer, subject, and audience.
Added new options to support claim existence verification: access_channel_token_(introspection_)required_claims. The specified claims must be present in the token payload.
Added new options to support optional claim verification: access_channel_token_(introspection_)optional_claims. The specified claims are verified only if they are present.
Added new options access_token_signing and channel_token_signing to quickly turn on and off token signing or re-signing.
Release date 2025/07/03
Fixed an issue where data planes didn’t use the keys passed from the control plane to sign/re-sign.
Release date 2025/08/07
Fixed an issue where data planes didn’t use the keys passed from the control plane to sign/re-sign.
Release date 2025/03/27
Fixed an issue where the jwt-signer plugin failed to upsert jwks if the jwks contains extra custom fields.
Release date 2024/09/11
Supported /jwt-signer/jwks/:jwt_signer_jwks endpoint in dbless mode.
Release date 2024/05/28
supports basic auth and mtls auth to external jwks services
The plugin now supports periodically rotating the jwks. For example, to autmatically rotate access_token_jwks_uri, you can set the config access_token_jwks_uri_rotate_period
The plugin now supports adding the original JWT(s) to the upstream request header by specifying the names of the upstream request header with original_access_token_upstream_header and original_channel_token_upstream_header.
And access_token_upstream_header, channel_token_upstream_header, original_access_token_upstream_header, and original_channel_token_upstream_header should not have the same value.
Support pseudo json value in add_claims and set_claims for JWT-Signer. We can achieve the goal of passing multiple values to a key by passing a JSON string as the value. And add add_access_token_claims, set_access_token_claims, add_channel_token_claims, set_channel_token_claims for individually adding claims to access tokens and channel tokens. Additionally, add remove_access_token_claims and remove_channel_token_claims to support the removal of claims.
Release date 2024/02/12
support for consumer group scoping by using pdk kong.client.authenticate function
Release date 2024/05/20
support for consumer group scoping by using pdk kong.client.authenticate function
Release date 2024/03/21
support for consumer group scoping by using pdk kong.client.authenticate function
Release date 2023/05/19
Added the configuration field add_claims, which lets you add extra claims to JWT.
Release date 2023/02/28
Improved Plugin Documentation: Revised docs for the following plugins to include examples:
Improved Plugin Documentation: JWT Signer
Release date 2022/12/06
The anonymous field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.
Release date 2022/09/09
Updated the priority for some plugins.: jwt-signer changed from 999 to 1020.