Observer
Observer

Configure JWT-scoped access

Gate a status page behind a Bearer token verified against your public key or JWKS endpoint.

The jwt access mode gates a status page behind a Bearer token that Observer Cloud verifies against a public key (or a JWKS endpoint) you control. Use it when the audience already has an identity issued by your auth system, and you want the same identity to authorise status-page reads.

Prerequisites

  • A signing key (RS256, ES256, or any algorithm Observer's verifier supports). Either a single PEM public key or a JWKS endpoint Observer can fetch.
  • A way to issue tokens for the audience (typically your auth service or an Identity Provider).

Configure the page

  1. Switch the page to JWT mode

    Open the page in the console, then Access. Set:

    • Mode: jwt.
    • Public key (PEM) or JWKS URL: whichever your issuer exposes.
    • Audience (optional): the aud claim Observer should require.
    • Issuer (optional): the iss claim Observer should require.

    Save.

  2. Issue tokens

    Sign tokens with the matching private key. Observer accepts:

    • The Authorization: Bearer <token> header on requests to the page.
    • The ?token=<token> query parameter, for embed iframes that cannot set headers.

    A typical claim set:

    {
  "iss": "https://your-idp.example",
  "aud": "observer-status-page",
  "sub": "user-or-customer-identifier",
  "exp": 1716480000
}

  3. Validate the round trip

    Open the page with the Bearer header set. Successful verification renders the page. A missing or invalid token returns 401.

Was this page helpful?