Jwt issuer / jwt node / aws Api Gateway jwt

Questions
1

Issue with JWT Authentication Between n8n and AWS API Gateway

Problem Description

I’m trying to integrate n8n with AWS API Gateway using JWT authentication. My goal is to generate a JWT in n8n, sign it with a private key, and have API Gateway verify it using the public key exposed through a /jwks endpoint.

However, despite the fact that the JWT is valid (tested on jwt.io with signature verified) and the JWKS endpoint is accessible, API Gateway keeps returning a 401 Unauthorized error.

Current Configuration

:small_blue_diamond: 1. JWT Generation in n8n

  • I am using the JWT node in n8n.
  • The JWT is generated with the following payload:
{
  "iss": "https://my-n8n-endpoint/webhook/jwt-issuer",
  "aud": "https://my-api-gateway/",
  "exp": 1739148233,
  "jti": "1739144633796",
  "iat": 1739144633"
}
  • The JWT is signed using RS256 with a private key (private.pem).
  • Tested on jwt.io, and the signature is verified with the corresponding public key (public.pem).

:small_blue_diamond: 2. JWKS Configuration

  • The /jwks endpoint in n8n is accessible and returns the correct JSON format:
{
  "keys": [
    {
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "kid": "n8n-key",
      "n": "BASE64_PUBLIC_KEY",
      "e": "AQAB"
    }
  ]
}
  • I have confirmed that the "n" value matches the Base64-encoded public key.

:small_blue_diamond: 3. API Gateway Configuration

  • I have created a JWT Authorizer in API Gateway with the following settings:
    • Issuer (iss):

bash

CopiaModifica

https://my-n8n-endpoint/webhook/jwt-issuer
  • Audience (aud):

arduino

CopiaModifica

https://my-api-gateway/
  • JWKS URL:

bash

CopiaModifica

https://my-n8n-endpoint/webhook/jwt-issuer/jwks
  • API Gateway appears to access the JWKS endpoint, but it still rejects the JWT with a 401 error.

Debugging & Tests Performed

:white_check_mark: JWT verified successfully on jwt.io with the public key
:white_check_mark: JWKS endpoint is accessible and returns valid JSON
:white_check_mark: Testing API Gateway with the generated JWT → 401 Unauthorized
:white_check_mark: CloudWatch logs → No useful details, just 401 errors
:white_check_mark: Testing manually with API Gateway’s “Test Authorizer” → Generic error without explanation

Question

Has anyone successfully set up this configuration?

  • Is there anything specific that needs to be configured in n8n to ensure JWKS is correctly read by API Gateway?
  • Does API Gateway have any known limitations when reading JWKS from an n8n webhook?
  • Is it possible that n8n is not serving JWKS in the expected format?

Any help would be greatly appreciated! :rocket:

2

It looks like your topic is missing some important information. Could you provide the following if applicable.

  • n8n version:
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app):
  • Operating system:
3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.