A JSON web token (JWT) is a standardized, optionally validated and/or encrypted format that is used to securely transfer information between two parties.

In the HTTP ACCESS phase, users can define the action to validate JWT from clients and pass, or remove JWT to backend servers.

Load Balancer rules support REGEX for match types. PCRE style REGEX patters is supported with a few limitations on advanced use cases. When REGEX is used in match conditions, named capturing groups are supported. See Regular Expressions in Load Balancer Rules.


Verify that a Layer 7 HTTP virtual server is available. See Add Layer 7 HTTP Virtual Servers.


  1. Open the Layer 7 HTTP virtual server.
  2. In the Load Balancer Rules section, next to HTTP Access Phase, click Set > Add Rule to configure the load balancer rules for the HTTP Request Rewrite phase.
  3. From the drop-down menu, select a match condition. Match conditions are used to match application traffic passing through load balancers. Multiple match conditions can be specified in one load balancer rule. Each match condition defines a criterion for application traffic.
    Supported Match Condition Description
    HTTP Request Method Match an HTTP request method.

    http_request.method - value to match

    HTTP Request URI Match an HTTP request URI without query arguments.

    http_request.uri - value to match

    HTTP Request URI Arguments Match an HTTP request URI query argument.

    http_request.uri_arguments - value to match

    HTTP Request Version Match an HTTP request version.

    http_request.version - value to match

    HTTP Request Header Match any HTTP request header.

    http_request.header_name - header name to match

    http_request.header_value - value to match

    HTTP Request Cookie Match any HTTP request cookie.

    http_request.cookie_value - value to match

    HTTP Request Body Match an HTTP request body content.

    http_request.body_value - value to match

    TCP Header Port Match a TCP source or the destination port.

    tcp_header.source_port - source port to match

    tcp_header.destination_port - destination port to match
    IP Header Source Matches IP header text boxes in of HTTP messages. The source type must be either a single IP address, a range of IP addresses, or a group. See Add a Group.
    • If IP Header Source is selected, with an IP Address source type, the source IP address of HTTP messages should match IP addresses which are configured in groups. Both IPv4 and IPv6 addresses are supported.
    • If IP Header Source is selected with a Group source type, select the group from the drop-down menu.

    ip_header.source_address - source address to match

    ip_header.destination_address - destination address to match
    Variable Create a variable and assign a value to the variable.
    Client SSL Match client SSL profile ID.

    ssl_profile_id - value to match

    Case Sensitive Set a case-sensitive flag for HTTP header value comparison. If true, case is significant when comparing HTTP body value.
  4. From the drop-down list, select a Match Type: starts with, ends with, equals, contains, matches regex.
  5. If needed, enter the URI.
  6. From the drop-down list, select a Match Strategy:
    Match Strategy Description
    Any Either host or path may match for this rule to be considered a match.

    Both host and path must match for this rule to be considered a match.

  7. From the drop-down menu select an Action:
    Action Description
    JWT Authentication
    JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
    • Realm - A description of the protected area. If no realm is specified, clients often display a formatted hostname. The configured realm is returned when a client request is rejected with 401 http status. The response is: "WWW-Authentication: Bearer realm=<realm>".
    • Tokens - This parameter is optional. Load balancer searches for every specified token one-by-one for the JWT message until found. If not found, or if this text box is not configured, load balancer searches the Bearer header by default in the http request "Authorization: Bearer <token>"
    • Key Type - Symmetric key or asymmetric public key (certificate-id)
    • Preserve JWT - This is a flag to preserve JWT and pass it to backend server. If disabled, the JWT key to the backend server is removed.
    Connection Drop

    If negate is enabled, when Connection Drop is configured, all requests not matching the specified match condition are dropped. Requests matching the specified match condition are allowed.

    Variable Assignment

    Enables users to assign a value to a variable in HTTP Access Phase, in such a way that the result can be used as a condition in other load balancer rule phases.

  8. Click Save and Apply.