Authentication

Harmony Proxy supports multiple authentication methods to secure your data integration gateway.

JWT Authentication

JWT (JSON Web Token) is the recommended authentication method for production deployments.

RS256 (Recommended)

RS256 uses asymmetric cryptography with public/private key pairs:

[[middleware]]
type = "jwt-auth"
config = {
  algorithm = "RS256",
  jwks_url = "https://auth.example.com/.well-known/jwks.json",
  issuer = "https://auth.example.com",
  audience = "harmony-api"
}

Benefits:

• Private key stays on auth server
• Public keys can be distributed
• Supports key rotation
• Industry standard for OAuth/OIDC

HS256

HS256 uses a shared secret (symmetric):

[[middleware]]
type = "jwt-auth"
config = {
  algorithm = "HS256",
  secret = "${JWT_SECRET}",  # Use environment variable
  issuer = "harmony",
  audience = "api"
}

Use cases:

• Development environments
• Internal services with shared secrets
• Simple authentication needs

Basic Authentication

For simple HTTP Basic authentication:

[[middleware]]
type = "basic-auth"
config = {
  username = "admin",
  password_hash = "$2b$12$..." # bcrypt hash
}

Note: Only use with HTTPS in production.

API Key Authentication

Custom header-based API key authentication:

[[middleware]]
type = "api-key"
config = {
  header = "X-API-Key",
  keys = [
    "key1_hashed_value",
    "key2_hashed_value"
  ]
}

Runbeam Cloud Integration

For detailed information on connecting Harmony to Runbeam Cloud, see Connecting to Runbeam.

Token Validation

JWT Claims

Harmony validates these JWT claims:

• exp (Expiry) - Token must not be expired
• nbf (Not Before) - Token must be valid
• iat (Issued At) - Token issuance time
• iss (Issuer) - Must match configured issuer
• aud (Audience) - Must match configured audience

Example JWT Payload

{
  "sub": "user@example.com",
  "iss": "https://auth.example.com",
  "aud": "harmony-api",
  "exp": 1735689600,
  "iat": 1735603200,
  "nbf": 1735603200
}

Multiple Authentication Methods

Chain multiple authentication middleware:

# Try JWT first, fall back to API key
[[middleware]]
type = "jwt-auth"
config = { algorithm = "RS256", jwks_url = "..." }
optional = true

[[middleware]]
type = "api-key"
config = { header = "X-API-Key", keys = [...] }

Security Best Practices

Development

• Use HS256 with environment variables for secrets
• Enable debug logging for troubleshooting
• Use short token expiry times

Production

• Always use RS256 with JWKS rotation
• Never commit secrets to version control
• Use HTTPS for all endpoints
• Store tokens securely in encrypted storage
• Monitor token expiry and rotate before 30 days
• Use separate keys for different environments

Encryption Key Generation

# Generate encryption key (Linux/macOS)
age-keygen | grep AGE-SECRET-KEY | base64 -w 0

# Store in environment
export RUNBEAM_ENCRYPTION_KEY=$(age-keygen | grep AGE-SECRET-KEY | base64 -w 0)

Troubleshooting

JWT Validation Fails

Symptoms: "Invalid signature" or "Token expired"

Solutions:

• Check system clock is synchronized
• Verify JWKS endpoint is accessible
• Ensure token hasn't expired
• Check issuer and audience claims match

Machine Token Expired

Symptoms: Gateway can't connect to Runbeam Cloud

Solutions:

• Check expiry: runbeam harmony:info -l my-gateway
• Re-authorize: runbeam harmony:authorize -l my-gateway
• Set up monitoring alert at 25 days

Storage Backend Issues

Symptoms: "Failed to save token" or "Storage backend unavailable"

Solutions:

• Check file permissions on ~/.runbeam/
• Set RUNBEAM_ENCRYPTION_KEY explicitly
• Check logs: RUST_LOG=debug harmony-proxy

Next Steps

• Deploy to production →
• Learn about authentication concepts →