1. MooseStack
  3. Configuration
  5. Authentication Configuration

Authentication Configuration

This reference covers security and authentication settings for your MooseStack APIs.

Secret Management

Never commit plain-text tokens or passwords to version control. Store sensitive values in a secrets manager or as environment variables (for example MOOSE_JWT__SECRET or MOOSE_ADMIN_TOKEN) and reference them from config. For local development only, use a git-ignored .env.local file.

JWT Configuration

Configure JSON Web Token (JWT) validation for your ingestion and consumption APIs.

[jwt]# Enforce JWT on all consumption APIs (Default: false)enforce_on_all_consumptions_apis = false# Enforce JWT on all ingestion APIs (Default: false)enforce_on_all_ingest_apis = false# Secret key for JWT signing (Required if jwt is enabled)# secret = "your-jwt-secret"# JWT issuer (Required if jwt is enabled)# issuer = "your-issuer-name"# JWT audience (Required if jwt is enabled)# audience = "your-audience-name"
KeyEnv VariableDefaultDescription
enforce_on_all_consumptions_apisMOOSE_JWT__ENFORCE_ON_ALL_CONSUMPTIONS_APISfalseGlobally enable JWT for consumption endpoints.
enforce_on_all_ingest_apisMOOSE_JWT__ENFORCE_ON_ALL_INGEST_APISfalseGlobally enable JWT for ingestion endpoints.
secretMOOSE_JWT__SECRET-SECRET. The key used to sign/verify tokens.
issuerMOOSE_JWT__ISSUER-Expected token issuer claim (iss).
audienceMOOSE_JWT__AUDIENCE-Expected token audience claim (aud).
Warning:

The secret field contains sensitive authentication material and should never be defined in plaintext in moose.config.toml. Store it in your secrets manager and expose it via the MOOSE_JWT__SECRET environment variable.

General Authentication Settings

Configure global authentication settings for the Admin API.

[authentication]# Optional hashed admin API key for auth (Default: None)# admin_api_key = "hashed_api_key"
KeyEnv VariableDefaultDescription
admin_api_keyMOOSE_AUTHENTICATION__ADMIN_API_KEY-SECRET. Hash of the admin API key.
admin_tokenMOOSE_ADMIN_TOKEN-SECRET. Plain-text admin API token. DO NOT COMMIT THIS TO VERSION CONTROL.
Warning:

The admin_token field contains a plain-text token and should never be defined in moose.config.toml. Store it in your .env.local file for local development only.

MooseTip:

The admin_api_key field stores a PBKDF2 hash, not the plain-text token. It is safe to commit this hashed value to version control since the Bearer token cannot be derived from it.

On this page

JWT ConfigurationGeneral Authentication Settings
FiveonefourFiveonefour
Fiveonefour Docs
MooseStackTemplatesGuides
Release Notes
Source517
  • Overview
Build a New App
  • 5 Minute Quickstart
  • Browse Templates
  • Existing ClickHouse
Add to Existing App
  • Next.js
  • Fastify
Fundamentals
  • Moose Runtime
  • MooseDev MCP
  • Data Modeling
Moose Modules
  • Moose OLAP
  • Moose Streaming
  • Moose Workflows
  • Moose APIs & Web Apps
Deployment & Lifecycle
  • Moose Migrate
  • Moose Deploy
Reference
  • API Reference
  • Data Types
  • Table Engines
  • CLI
  • Configuration
  • Observability Metrics
  • Help
  • Release Notes
Contribution
  • Documentation
  • Framework