JWT Plugin: Invalid Signature

Hi Folks,
First question from a a first time user of Kong.

  • Kong deployed using Helm running as Ingress Controller in Kubernetes
  • JWT KongPlugin resource used to validate Okta Authorisation code per namespace
  • KongConsumer deployed per namespace
  • KongCredential deployed per namespace mapped to KongConsumer and configured to use RS256, Key and RSA Public Key supplied.


  • OKTA authentication is successful
  • JWT validation fails as “Invalid Signature”

I have tried using HS256 as the algorithm without success.
I have also tried using Kubernetes Secret instead of KongCredential which is deprecated.
As I am using community version JWKS is not an option, no supported Plugin but then I have the correct Public Key configured.

Help much appreciated.


I’m in a similar situation I think. How did you set the algorithm of the credential to RS256 when creating the kubernetes secret? I’m trying to use this as KongCredential is deprecated.

Are you setting the plugin, consumer, etc through the declarative config file or through yaml manifests? Could you share your config?


What did you try? You generally need to set the keys using the following flags when creating the secret:

--from-literal=algorithm=foo --from-literal=another-key=another-value

My issue was with a validation of the rsa key with RS256. I could fixed it provided the correct key format. Thanks for the reply!

Hi, I have same issue using HS256

this is my secret

apiVersion: v1
kind: Secret
name: app-jwt
type: Opaque
kongCredType: jwt
key: auth
algorithm: HS256
secret: pleaseChangeThisSecretForANewOne