We are excited to announce the launch of authzjwtbearerinjector on October 10, 2024. This new project provides a robust way to automate the acquisition and injection of OAuth 2.0 tokens into requests flowing through the Envoy Proxy, significantly simplifying how you secure your backend services.

What is authzjwtbearerinjector?

authzjwtbearerinjector is a gRPC-based External Authorization (ExtAuthz) service designed to run as a sidecar to Envoy Proxy. It implements the JWT-bearer flow, allowing it to act as a secure intermediary that handles the complexities of token exchange.

Instead of requiring your clients or the proxy itself to manage private keys and token refresh logic, authzjwtbearerinjector takes over the process. It uses a local RSA private key to sign a JWT, exchanges that JWT for an access token from your OAuth 2.0 provider, and injects the resulting bearer token directly into the Authorization header of the upstream request.

Key capabilities included in this first release:

  • Automated JWT-Bearer Flow: Full support for RS256 signing and seamless exchange for OAuth 2.0 tokens.
  • Flexible Configuration: Configure the service via YAML files, environment variables, or dynamically via Envoy route metadata for per-route customization.
  • Intelligent Caching: Built-in token caching with a “soft expiration” mechanism to proactively refresh tokens before they expire, ensuring minimal latency for your requests.
  • Deep Envoy Integration: Designed specifically for the envoy.ext_authz filter, making it a natural fit for modern service mesh and API gateway architectures.

Why it matters

Managing authentication tokens in a distributed system can be a significant overhead. Traditionally, you either have to implement token exchange logic in every client or build complex custom filters within your proxy.

authzjwtbearerinjector decouples authentication logic from your application code and proxy configuration. By offloading the token acquisition process to a dedicated sidecar, you ensure that:

  • Security is Centralized: Private keys are managed in a single, controlled environment rather than distributed across multiple clients.
  • Backends Stay Simple: Your backend services receive standard, valid OAuth 2.0 tokens without needing to know how they were acquired.
  • Operational Efficiency: Token caching and proactive refreshing reduce the load on your identity provider and eliminate “token expired” spikes in your error rates.

Getting Started

authzjwtbearerinjector is available as a Docker image via GitHub Packages: ghcr.io/unitvectory-labs/authzjwtbearerinjector.

To get started, deploy the service as a sidecar and configure the envoy.ext_authz filter in your Envoy configuration to point to the injector. You can find detailed configuration guides and examples in our repository.

This post was AI-generated using the model unsloth/gemma-4-31B-it-GGUF:UD-Q5_K_XL on 2026-04-09, based on the authzjwtbearerinjector repository and the v0.1.0 release. Author: release-storyteller