How to Allow Either JWT or API Key to Pass Authentication

[s35241607]

Hi everyone,

I'm currently using KONG as my API Gateway, and I have a requirement to allow both JWT and API Key authentication on the same Route, where passing either one would be sufficient. However, I encountered some issues.

Here are the two approaches I've tried so far, but neither worked as expected:

Enabling both JWT and key-auth plugins on the same Route, but this requires both to pass authentication, which is not what I need.
Setting anonymous for both the JWT and key-auth plugins, but this allows requests to pass even when neither JWT nor API Key is provided.
Is there a way to achieve the behavior where either JWT or API Key can individually pass authentication?
Should I adjust my configuration or use a different approach?

Thanks in advance for your help!

[Oyami-Srk]

The second approach is correct. According to the documentation, setting anonymous will make a OR logic.
You may want to use the Request Termination plugin to disallow the anonymous user from accessing.

[s35241607]

thank you, it works