> ## Documentation Index
> Fetch the complete documentation index at: https://www.cockroachlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get a JWT Issuer

> Retrieves the JWT Issuer configuration

Can be used by the following roles assigned at the organization scope:
- ORG_ADMIN


<Warning>This endpoint is in **Limited Access** and may not be available to all users. Refer to the [API support policy](https://www.cockroachlabs.com/docs/stable/api-support-policy) for more details.</Warning>


## OpenAPI

````yaml /openapi/cloud/2023-04-10.json get /api/v1/jwt-issuers/{id}
openapi: 3.0.0
info:
  contact:
    email: support@cockroachlabs.com
    name: Cockroach Labs Support
    url: https://support.cockroachlabs.com
  description: An API for managing CockroachDB Cloud resources
  title: CockroachDB Cloud API
  version: '2023-04-10'
servers:
  - url: https://cockroachlabs.cloud
security:
  - Bearer: []
tags:
  - name: SCIM
  - name: Organizations
  - name: Clusters
  - name: SQL Users
  - name: SQL Privilege Grants
  - name: Databases
  - name: Customer-managed Encryption Keys
  - name: Client CA Certificates
  - name: Cluster SSO
  - name: Log Export
  - name: Metric Export
  - name: Audit Logs
  - name: IP Allowlists
  - name: Egress Rules
  - name: Billing
  - name: Maintenance Windows
  - name: Role Management
  - name: Service Accounts
  - name: API Keys
  - name: Folders
  - name: Version Deferral
  - name: JWT Issuers
  - name: OpenID Connect Configuration
  - name: Private Endpoint Services
  - name: PCI
  - name: Physical Cluster Replication
  - name: Backup/Restore
externalDocs:
  description: Use the CockroachDB Cloud API
  url: https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api
paths:
  /api/v1/jwt-issuers/{id}:
    get:
      tags:
        - JWT Issuers
      summary: Get a JWT Issuer
      description: |
        Retrieves the JWT Issuer configuration

        Can be used by the following roles assigned at the organization scope:
        - ORG_ADMIN
      operationId: CockroachCloud_GetJWTIssuer
      parameters:
        - name: id
          in: path
          description: The unique identifier of the JWT Issuer resource
          required: true
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: A successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/JWTIssuer'
        '400':
          description: Returned when a request field is invalid.
          content:
            application/json:
              schema: {}
        '401':
          description: Returned when the token bearer cannot be authenticated.
          content:
            application/json:
              schema: {}
        '403':
          description: >-
            Returned when the user does not have permission to access the
            resource.
          content:
            application/json:
              schema: {}
        '404':
          description: Returned when the resource does not exist.
          content:
            application/json:
              schema: {}
        '500':
          description: Server error
          content:
            application/json:
              schema: {}
        default:
          description: An unexpected error response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Status'
      x-codeSamples:
        - lang: curl
          source: |-
            curl --request GET \
              --url https://cockroachlabs.cloud/api/v1/jwt-issuers/{id} \
              --header 'Authorization: Bearer REPLACE_BEARER_TOKEN'
components:
  schemas:
    JWTIssuer:
      type: object
      properties:
        audience:
          type: string
          example: 1234567890abcd
          title: The intended audience for consuming the JWT
        claim:
          type: string
          example: email
          title: >-
            Used to identify the user from the external Identity Provider.
            Defaults to "sub"
        id:
          type: string
          format: uuid
          example: 1234abcd-1234-1234-abcd-12345678abcd
          title: The unique identifier of the JWT Issuer resource
        identity_map:
          type: array
          items:
            $ref: '#/components/schemas/JWTIssuerIdentityMapEntry'
          title: >-
            A list of mappings to map the external token identity into
            CockroachDB Cloud
        issuer_url:
          type: string
          example: https://jwt-issuer.example.com
          title: The URL of the server issuing JWTs
        jwks:
          type: string
          example: >-
            {"keys":[{"e":"AQAB","use":"sig","kty":"RSA","alg":"RS256","n":"tid8bJCI5FxtvMiVHq8pRZBGIPaG9mEa1akpIC9munzxA3mWoc-KoR1TGkocu76WFthaZnPS31WJbRVChU6g4EMIg7E8Ltpxifk1PQu0qqbLcpnoI62ojsB7l_Z_lkls0NUzTuKGMMtNoJsDrL1BT0UzcnWerh2PwzDAMpfPgafWdT2IYGTx1gNLcNOWpPhDgMSQqUmIPwCmxdan4i4OMd7lJYQ1WQlN8VnQgbRgHrm1zImY6MPqho9jW3Ub5FwGbunwCDrP9a2dD_5Iwm7_lR82iB4BGlu28WxFn0fm5DgZAeAFSGKE1xblC97WrjnPh2XYTx6pxsea_Hn71VcNSQ","kid":"9341dedeee2d1869b657fa930300082fe26b3d92"}]}
          title: A set of public keys (JWKS) used to verify a JWT
      required:
        - id
        - issuer_url
        - audience
      title: JWTIssuer
    Status:
      type: object
      properties:
        code:
          type: integer
          format: int32
        details:
          type: array
          items:
            $ref: '#/components/schemas/Any'
        message:
          type: string
    JWTIssuerIdentityMapEntry:
      type: object
      properties:
        cc_identity:
          description: >-
            Specifies how to map the fetched token identity to an identity in
            CockroachDB Cloud. In case of a regular

            expression for token_identity, this must contain a \1 placeholder
            for the matched content.
          type: string
          example: \1
        is_regex:
          description: >-
            Deprecated: Specifies whether the token_identity is in regular
            expression format. This is now deprecated as the

            API handles regular expressions seamlessly, and it need not be
            provided in the request.
          type: boolean
        token_identity:
          description: >-
            Specifies how to fetch external identity from the token claim. A
            regular expression must start

            with a forward slash. The regular expression must be in RE2
            compatible syntax. For further details, please see

            https://github.com/google/re2/wiki/Syntax.
          type: string
          example: /^sso_(.*)$
    Any:
      description: >-
        `Any` contains an arbitrary serialized protocol buffer message along
        with a

        URL that describes the type of the serialized message.


        Protobuf library provides support to pack/unpack Any values in the form

        of utility functions or additional generated methods of the Any type.


        Example 1: Pack and unpack a message in C++.

            Foo foo = ...;
            Any any;
            any.PackFrom(foo);
            ...
            if (any.UnpackTo(&foo)) {
              ...
            }

        Example 2: Pack and unpack a message in Java.

            Foo foo = ...;
            Any any = Any.pack(foo);
            ...
            if (any.is(Foo.class)) {
              foo = any.unpack(Foo.class);
            }
            // or ...
            if (any.isSameTypeAs(Foo.getDefaultInstance())) {
              foo = any.unpack(Foo.getDefaultInstance());
            }

         Example 3: Pack and unpack a message in Python.

            foo = Foo(...)
            any = Any()
            any.Pack(foo)
            ...
            if any.Is(Foo.DESCRIPTOR):
              any.Unpack(foo)
              ...

         Example 4: Pack and unpack a message in Go

             foo := &pb.Foo{...}
             any, err := anypb.New(foo)
             if err != nil {
               ...
             }
             ...
             foo := &pb.Foo{}
             if err := any.UnmarshalTo(foo); err != nil {
               ...
             }

        The pack methods provided by protobuf library will by default use

        'type.googleapis.com/full.type.name' as the type URL and the unpack

        methods only use the fully qualified type name after the last '/'

        in the type URL, for example "foo.bar.com/x/y.z" will yield type

        name "y.z".


        JSON

        ====

        The JSON representation of an `Any` value uses the regular

        representation of the deserialized, embedded message, with an

        additional field `@type` which contains the type URL. Example:

            package google.profile;
            message Person {
              string first_name = 1;
              string last_name = 2;
            }

            {
              "@type": "type.googleapis.com/google.profile.Person",
              "firstName": <string>,
              "lastName": <string>
            }

        If the embedded message type is well-known and has a custom JSON

        representation, that representation will be embedded adding a field

        `value` which holds the custom JSON in addition to the `@type`

        field. Example (for message [google.protobuf.Duration][]):

            {
              "@type": "type.googleapis.com/google.protobuf.Duration",
              "value": "1.212s"
            }
      type: object
      properties:
        '@type':
          description: >-
            A URL/resource name that uniquely identifies the type of the
            serialized

            protocol buffer message. This string must contain at least

            one "/" character. The last segment of the URL's path must represent

            the fully qualified name of the type (as in

            `path/google.protobuf.Duration`). The name should be in a canonical
            form

            (e.g., leading "." is not accepted).


            In practice, teams usually precompile into the binary all types that
            they

            expect it to use in the context of Any. However, for URLs which use
            the

            scheme `http`, `https`, or no scheme, one can optionally set up a
            type

            server that maps type URLs to message definitions as follows:


            * If no scheme is provided, `https` is assumed.

            * An HTTP GET on the URL must yield a [google.protobuf.Type][]
              value in binary format, or produce an error.
            * Applications are allowed to cache lookup results based on the
              URL, or have them precompiled into a binary to avoid any
              lookup. Therefore, binary compatibility needs to be preserved
              on changes to types. (Use versioned type names to manage
              breaking changes.)

            Note: this functionality is not currently available in the official

            protobuf release, and it is not used for type URLs beginning with

            type.googleapis.com. As of May 2023, there are no widely used type
            server

            implementations and no plans to implement one.


            Schemes other than `http`, `https` (or the empty scheme) might be

            used with implementation specific semantics.
          type: string
      additionalProperties: {}
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

````