Local JWT Development Setup

This document describes how to run Temporal server locally with JWT authentication enabled for test and development purposes.

Overview

The setup uses:

• RSA key pair for signing/verifying JWTs
• JWKS file loaded directly from disk via file:// URI
• Custom config file development-jwt.yaml with authorization enabled

Files

• config/development-jwt.yaml - Server config with JWT auth enabled
• config/jwt/setup-keys.sh - Generates RSA key pair and JWKS
• config/jwt/generate-token.sh - Helper script to generate test JWTs

Generated files (created by setup-keys.sh in /tmp/temporal-jwt-test/):

• /tmp/temporal-jwt-test/private-key.pem - RSA private key for signing test JWTs
• /tmp/temporal-jwt-test/.well-known/jwks.json - JWKS file with RSA public key

Makefile Targets

• make start-jwt - Start Temporal with JWT auth (no --allow-no-auth flag)

Usage

1. Start Temporal with JWT Auth

make start-jwt

Note: Unlike other start-* targets, this does NOT use the --allow-no-auth flag, so authentication is enforced.

2. Generate Test JWTs

# Default: [email protected] with system:admin
./config/jwt/generate-token.sh

# Custom subject with system:admin
./config/jwt/generate-token.sh [email protected]

# Custom subject with namespace permission
./config/jwt/generate-token.sh [email protected] default:admin

# Multiple permissions
./config/jwt/generate-token.sh [email protected] system:admin default:writer

3. Use the Token

TOKEN=$(./config/jwt/generate-token.sh [email protected] default:admin)
temporal --tls=false --api-key "$TOKEN" workflow list