Use your own identity provider (Google, Firebase, Clerk, Auth0, Supabase, etc.) instead of MoonDB's built-in auth. MoonDB validates RS256-signed JWTs against the provider's JWKS endpoint.
Authorization: Bearer {token}sub claimAfter this, all MoonDB access rules (authenticated, owner) work with the external user identity.
PUT /p/{id}/v1/auth-config X-Admin-Key: sk_... { "provider": "external", "jwks_url": "https://your-provider.com/.well-known/jwks.json", "user_id_claim": "sub", "audience": "your-provider-audience", "issuer": "https://your-issuer" }
Important: audience must match the aud claim in your provider's JWTs (usually your OAuth client ID or project ID at the provider). If omitted, it defaults to your MoonDB project ID — which won't match external tokens.
{
"provider": "external",
"jwks_url": "https://www.googleapis.com/oauth2/v3/certs",
"user_id_claim": "sub",
"audience": "YOUR_GOOGLE_CLIENT_ID.apps.googleusercontent.com",
"issuer": "https://accounts.google.com"
}
audience = your Google OAuth Client ID. Get it from the Google Cloud Console.
{
"provider": "external",
"jwks_url": "https://www.googleapis.com/service/v3/beta/jwk/securetoken@system.gserviceaccount.com",
"user_id_claim": "sub",
"audience": "YOUR_FIREBASE_PROJECT_ID",
"issuer": "https://securetoken.google.com/YOUR_FIREBASE_PROJECT_ID"
}
audience and issuer both use your Firebase project ID (found in Firebase Console → Project Settings).
{
"provider": "external",
"jwks_url": "https://YOUR_CLERK_DOMAIN/.well-known/jwks.json",
"user_id_claim": "sub",
"audience": "your-audience",
"issuer": "https://YOUR_CLERK_DOMAIN"
}
Find your JWKS URL in the Clerk Dashboard → JWT Templates → JWKS endpoint.
{
"provider": "external",
"jwks_url": "https://YOUR_TENANT.auth0.com/.well-known/jwks.json",
"user_id_claim": "sub",
"audience": "your-api-identifier",
"issuer": "https://YOUR_TENANT.auth0.com/"
}
audience = the API Identifier from Auth0 Dashboard → Applications → APIs.
{
"provider": "external",
"jwks_url": "https://YOUR_REF.supabase.co/auth/v1/.well-known/jwks.json",
"user_id_claim": "sub",
"audience": "authenticated",
"issuer": "https://YOUR_REF.supabase.co/auth/v1"
}
// Example: Google Sign-In → MoonDB const { credential } = googleResponse; // Google ID token (JWT) const res = await fetch(MOONDB_URL + '/api/posts', { headers: { 'Authorization': 'Bearer ' + credential, 'X-Public-Key': 'pk_...' } });
# Read current config GET /p/{id}/v1/auth-config (X-Admin-Key: sk_...) # Remove external auth (revert to built-in) DELETE /p/{id}/v1/auth-config (X-Admin-Key: sk_...)
jwks_url must be https:// on a known IdP host: *.clerk.com, *.auth0.com, *.supabase.co, *.firebaseapp.com, *.googleapis.com, securetoken.google.com, *.amazoncognito.com, *.kinde.com, *.workos.com, *.stytch.com| Error | Cause | Fix |
|---|---|---|
AUTH_BAD_AUDIENCE | audience in config doesn't match token's aud | Set audience to your OAuth client ID / Firebase project ID |
AUTH_BAD_ISSUER | issuer in config doesn't match token's iss | Check your provider's issuer URL (include trailing slash if needed) |
AUTH_UNSUPPORTED_ALG | Token uses HS256 or another algorithm | Configure your provider to issue RS256 tokens |
AUTH_JWKS_FETCH_FAILED | JWKS URL unreachable or wrong format | Verify the URL returns a JSON {"keys": [...]} response |
AUTH_NO_KEY | No matching key in JWKS for token's kid | Provider may have rotated keys — wait up to 1h for cache refresh |
VALIDATION_JWKS_HOST | JWKS URL host not in allowlist | Use a supported provider or contact support |