> ## Documentation Index
> Fetch the complete documentation index at: https://www.cockroachlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Add a JWT Issuer

> Registers a JWT Issuer with the CockroachDB Cloud to allow verifying JWTs during API authentication

Can be used by the following roles assigned at the organization scope:
- ORG_ADMIN


<Warning>This endpoint is in **Limited Access** and may not be available to all users. Refer to the [API support policy](https://www.cockroachlabs.com/docs/stable/api-support-policy) for more details.</Warning>


## OpenAPI

````yaml /openapi/cloud/latest.json post /api/v1/jwt-issuers
openapi: 3.0.0
info:
  contact:
    email: support@cockroachlabs.com
    name: Cockroach Labs Support
    url: https://support.cockroachlabs.com
  description: An API for managing CockroachDB Cloud resources
  title: CockroachDB Cloud API
  version: '2024-09-16'
servers:
  - url: https://cockroachlabs.cloud
security:
  - Bearer: []
tags:
  - name: SCIM
  - name: Organizations
  - name: Clusters
  - name: Cluster Disruption
  - name: SQL Users
  - name: SQL Privilege Grants
  - name: Databases
  - name: Customer-managed Encryption Keys
  - name: Client CA Certificates
  - name: Cluster SSO
  - name: Log Export
  - name: Metric Export
  - name: Audit Logs
  - name: IP Allowlists
  - name: Egress Rules
  - name: Billing
  - name: Maintenance Windows
  - name: Blackout Windows
  - name: Role Management
  - name: Service Accounts
  - name: API Keys
  - name: Folders
  - name: Version Deferral
  - name: JWT Issuers
  - name: OpenID Connect Configuration
  - name: Private Endpoint Services
  - name: PCI
  - name: Physical Cluster Replication
  - name: Plan Migrations
  - name: Backup/Restore
  - name: Egress Private Endpoints
  - name: Multifactor Authentication
externalDocs:
  description: Use the CockroachDB Cloud API
  url: https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api.html
paths:
  /api/v1/jwt-issuers:
    post:
      tags:
        - JWT Issuers
      summary: Add a JWT Issuer
      description: >
        Registers a JWT Issuer with the CockroachDB Cloud to allow verifying
        JWTs during API authentication


        Can be used by the following roles assigned at the organization scope:

        - ORG_ADMIN
      operationId: CockroachCloud_AddJWTIssuer
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AddJWTIssuerRequest'
      responses:
        '200':
          description: A successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/JWTIssuer'
        '400':
          description: Returned when a request field is invalid.
          content:
            application/json:
              schema: {}
        '401':
          description: Returned when the token bearer cannot be authenticated.
          content:
            application/json:
              schema: {}
        '403':
          description: >-
            Returned when the user does not have permission to access the
            resource.
          content:
            application/json:
              schema: {}
        '404':
          description: Returned when the resource does not exist.
          content:
            application/json:
              schema: {}
        '500':
          description: Server error
          content:
            application/json:
              schema: {}
        default:
          description: An unexpected error response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Status'
      x-codeSamples:
        - lang: curl
          source: |-
            curl --request POST \
              --url https://cockroachlabs.cloud/api/v1/jwt-issuers \
              --header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
              --json '{"audience":"1234567890abcd","claim":"email","identity_map":[{"cc_identity":"\\1","token_identity":"/^sso_(.*)$"}],"issuer_url":"https://jwt-issuer.example.com","jwks":"{\"keys\":[{\"e\":\"AQAB\",\"use\":\"sig\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"n\":\"tid8bJCI5FxtvMiVHq8pRZBGIPaG9mEa1akpIC9munzxA3mWoc-KoR1TGkocu76WFthaZnPS31WJbRVChU6g4EMIg7E8Ltpxifk1PQu0qqbLcpnoI62ojsB7l_Z_lkls0NUzTuKGMMtNoJsDrL1BT0UzcnWerh2PwzDAMpfPgafWdT2IYGTx1gNLcNOWpPhDgMSQqUmIPwCmxdan4i4OMd7lJYQ1WQlN8VnQgbRgHrm1zImY6MPqho9jW3Ub5FwGbunwCDrP9a2dD_5Iwm7_lR82iB4BGlu28WxFn0fm5DgZAeAFSGKE1xblC97WrjnPh2XYTx6pxsea_Hn71VcNSQ\",\"kid\":\"9341dedeee2d1869b657fa930300082fe26b3d92\"}]}"}'
components:
  schemas:
    AddJWTIssuerRequest:
      type: object
      properties:
        audience:
          type: string
          example: 1234567890abcd
          title: The intended audience for consuming the JWT
        claim:
          type: string
          example: email
          title: >-
            Used to identify the user from the external Identity Provider.
            Defaults to "sub"
        identity_map:
          description: >-
            A list of mappings to map the external token identity into
            CockroachDB Cloud.
          type: array
          items:
            $ref: '#/components/schemas/JWTIssuerIdentityMapEntry'
        issuer_url:
          type: string
          example: https://jwt-issuer.example.com
          title: The URL of the server issuing JWTs
        jwks:
          type: string
          example: >-
            {"keys":[{"e":"AQAB","use":"sig","kty":"RSA","alg":"RS256","n":"tid8bJCI5FxtvMiVHq8pRZBGIPaG9mEa1akpIC9munzxA3mWoc-KoR1TGkocu76WFthaZnPS31WJbRVChU6g4EMIg7E8Ltpxifk1PQu0qqbLcpnoI62ojsB7l_Z_lkls0NUzTuKGMMtNoJsDrL1BT0UzcnWerh2PwzDAMpfPgafWdT2IYGTx1gNLcNOWpPhDgMSQqUmIPwCmxdan4i4OMd7lJYQ1WQlN8VnQgbRgHrm1zImY6MPqho9jW3Ub5FwGbunwCDrP9a2dD_5Iwm7_lR82iB4BGlu28WxFn0fm5DgZAeAFSGKE1xblC97WrjnPh2XYTx6pxsea_Hn71VcNSQ","kid":"9341dedeee2d1869b657fa930300082fe26b3d92"}]}
          title: A set of public keys (JWKS) used to verify a JWT
      required:
        - issuer_url
        - audience
      title: AddJWTIssuerRequest
    JWTIssuer:
      type: object
      properties:
        audience:
          type: string
          example: 1234567890abcd
          title: The intended audience for consuming the JWT
        claim:
          type: string
          example: email
          title: >-
            Used to identify the user from the external Identity Provider.
            Defaults to "sub"
        id:
          type: string
          format: uuid
          example: 1234abcd-1234-1234-abcd-12345678abcd
          title: The unique identifier of the JWT Issuer resource
        identity_map:
          type: array
          items:
            $ref: '#/components/schemas/JWTIssuerIdentityMapEntry'
          title: >-
            A list of mappings to map the external token identity into
            CockroachDB Cloud
        issuer_url:
          type: string
          example: https://jwt-issuer.example.com
          title: The URL of the server issuing JWTs
        jwks:
          type: string
          example: >-
            {"keys":[{"e":"AQAB","use":"sig","kty":"RSA","alg":"RS256","n":"tid8bJCI5FxtvMiVHq8pRZBGIPaG9mEa1akpIC9munzxA3mWoc-KoR1TGkocu76WFthaZnPS31WJbRVChU6g4EMIg7E8Ltpxifk1PQu0qqbLcpnoI62ojsB7l_Z_lkls0NUzTuKGMMtNoJsDrL1BT0UzcnWerh2PwzDAMpfPgafWdT2IYGTx1gNLcNOWpPhDgMSQqUmIPwCmxdan4i4OMd7lJYQ1WQlN8VnQgbRgHrm1zImY6MPqho9jW3Ub5FwGbunwCDrP9a2dD_5Iwm7_lR82iB4BGlu28WxFn0fm5DgZAeAFSGKE1xblC97WrjnPh2XYTx6pxsea_Hn71VcNSQ","kid":"9341dedeee2d1869b657fa930300082fe26b3d92"}]}
          title: A set of public keys (JWKS) used to verify a JWT
      required:
        - id
        - issuer_url
        - audience
      title: JWTIssuer
    Status:
      type: object
      properties:
        code:
          format: int32
          type: integer
        details:
          type: array
          items:
            $ref: '#/components/schemas/Any'
        message:
          type: string
    JWTIssuerIdentityMapEntry:
      type: object
      properties:
        cc_identity:
          description: >-
            Specifies how to map the fetched token identity to an identity in
            CockroachDB Cloud. In case of a regular

            expression for token_identity, this must contain a \1 placeholder
            for the matched content. Note that you will need

            to escape the backslash in the string as in the example usage
            (\\\\1).

            The mapped identity must match with either a user email address or a
            service account ID.
          type: string
          example: \1
        token_identity:
          description: >-
            Specifies how to fetch external identity from the token claim. A
            regular expression must start

            with a forward slash. The regular expression must be in RE2
            compatible syntax. For further details, please see

            https://github.com/google/re2/wiki/Syntax.
          type: string
          example: /^sso_(.*)$
      required:
        - token_identity
        - cc_identity
      title: JWTIssuerIdentityMapEntry
    Any:
      description: >-
        `Any` contains an arbitrary serialized protocol buffer message along
        with a

        URL that describes the type of the serialized message.


        In its binary encoding, an `Any` is an ordinary message; but in other
        wire

        forms like JSON, it has a special encoding. The format of the type URL
        is

        described on the `type_url` field.


        Protobuf APIs provide utilities to interact with `Any` values:


        - A 'pack' operation accepts a message and constructs a generic `Any`
        wrapper
          around it.
        - An 'unpack' operation reads the content of an `Any` message, either
        into an
          existing message or a new one. Unpack operations must check the type of the
          value they unpack against the declared `type_url`.
        - An 'is' operation decides whether an `Any` contains a message of the
        given
          type, i.e. whether it can 'unpack' that type.

        The JSON format representation of an `Any` follows one of these cases:


        - For types without special-cased JSON encodings, the JSON format
          representation of the `Any` is the same as that of the message, with an
          additional `@type` field which contains the type URL.
        - For types with special-cased JSON encodings (typically called
        'well-known'
          types, listed in https://protobuf.dev/programming-guides/json/#any), the
          JSON format representation has a key `@type` which contains the type URL
          and a key `value` which contains the JSON-serialized value.

        The text format representation of an `Any` is like a message with one
        field

        whose name is the type URL in brackets. For example, an `Any` containing
        a

        `foo.Bar` message may be written `[type.googleapis.com/foo.Bar] { a: 2
        }`.
      type: object
      properties:
        '@type':
          description: >-
            Identifies the type of the serialized Protobuf message with a URI
            reference

            consisting of a prefix ending in a slash and the fully-qualified
            type name.


            Example: type.googleapis.com/google.protobuf.StringValue


            This string must contain at least one `/` character, and the content
            after

            the last `/` must be the fully-qualified name of the type in
            canonical

            form, without a leading dot. Do not write a scheme on these URI
            references

            so that clients do not attempt to contact them.


            The prefix is arbitrary and Protobuf implementations are expected to

            simply strip off everything up to and including the last `/` to
            identify

            the type. `type.googleapis.com/` is a common default prefix that
            some

            legacy implementations require. This prefix does not indicate the
            origin of

            the type, and URIs containing it are not expected to respond to any

            requests.


            All type URL strings must be legal URI references with the
            additional

            restriction (for the text format) that the content of the reference

            must consist only of alphanumeric characters, percent-encoded
            escapes, and

            characters in the following set (not including the outer backticks):

            `/-.~_!$&()*+,;=`. Despite our allowing percent encodings,
            implementations

            should not unescape them to prevent confusion with existing parsers.
            For

            example, `type.googleapis.com%2FFoo` should be rejected.


            In the original design of `Any`, the possibility of launching a type

            resolution service at these type URLs was considered but Protobuf
            never

            implemented one and considers contacting these URLs to be
            problematic and

            a potential security issue. Do not attempt to contact type URLs.
          type: string
      additionalProperties: {}
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

````