Configure JWT-scoped access

Gate a status page behind a Bearer token verified against your public key or JWKS endpoint.

The jwt access mode gates a status page behind a Bearer token that Observer Cloud verifies against a public key (or a JWKS endpoint) you control. Use it when the audience already has an identity issued by your auth system, and you want the same identity to authorise status-page reads.

Prerequisites

A signing key (RS256, ES256, or any algorithm Observer's verifier supports). Either a single PEM public key or a JWKS endpoint Observer can fetch.
A way to issue tokens for the audience (typically your auth service or an Identity Provider).

Configure the page

•
Switch the page to JWT mode
Open the page in the console, then Access. Set:
- Mode: jwt.
- Public key (PEM) or JWKS URL: whichever your issuer exposes.
- Audience (optional): the aud claim Observer should require.
- Issuer (optional): the iss claim Observer should require.
Save.
•
Issue tokens
Sign tokens with the matching private key. Observer accepts the token on the status page, its /incidents view, the /embed widget, and the Atom/RSS feeds, two ways:
- The Authorization: Bearer <token> header, for programmatic requests.
- The ?token=<token> query parameter, for magic links you send a customer (a URL they open directly) and for embed iframes that cannot set headers.
A typical claim set:
```
{
  "iss": "https://your-idp.example",
  "aud": "observer-status-page",
  "sub": "user-or-customer-identifier",
  "exp": 1716480000
}
```
Validate the round trip
Open the page with the Bearer header set. Successful verification renders the page. A missing or invalid token returns 401.

Configure JWT-scoped access

Prerequisites

Configure the page

Switch the page to JWT mode

Issue tokens

Validate the round trip