Pre-verify arbitrary strings sent as PATs
Hi there. We currently use JWKs based JWT validation in each of our microservices which works perfectly fine. Now, to ease development and maybe provide "API key" style access later (as soon as PATs may be available for normal users), we also think about adding PATs support to our validation process. The big main concern right now is that PATs seem to defenitely require a call to the introspection endpoint without the possibilty to pre-verify that they are indeed Zitadel PATs that can be introspected. Since we are using the hosted version we pay for admin API requests which would leave us at a higher financial risk of getting high bills from Zitadel caused by malicious clients sending arbitrary strings in the authorization header. So, the my question is: is there a way to somehow verify that a PAT originated from Zitadel before sending it to the introspection endpoint to see if it is still valid? I read the docs but couldnt find anything on this topic? Thanks in advance!
0 Replies