External Auth

Use Clerk, Auth0, Supabase, or any OIDC provider instead of MoonDB's built-in auth.

PUT /p/{id}/v1/auth-config
X-Admin-Key: sk_...

{
  "provider": "external",
  "jwks_url": "https://your-provider.com/.well-known/jwks.json",
  "user_id_claim": "sub",
  "audience": "your-audience",
  "issuer": "https://your-issuer"
}

After configuration, users authenticate with your provider and pass their JWT to MoonDB. MoonDB validates the RS256-signed token against the JWKS endpoint.

How it works

1. User logs in via Clerk/Auth0/etc.
2. Your frontend gets a JWT from the provider
3. Pass that JWT to MoonDB as Authorization: Bearer {token}
4. MoonDB validates it via JWKS and extracts the user ID

Restrictions

jwks_url is validated server-side and must be:

• https:// only (no http://, no userinfo)
• A known IdP host suffix: *.clerk.com, *.clerk.accounts.dev, *.auth0.com, *.supabase.co, *.firebaseapp.com, securetoken.google.com, *.amazoncognito.com, *.kinde.com, *.workos.com, *.stytch.com. Need another? Ask support.

audience defaults to your project_id if you don't set it explicitly. This blocks cross-project JWT replay when two MoonDB projects share the same IdP tenant.