Set up JWT

Self-managed authentication integrated with your login system

Set up JWT

Self-managed authentication integrated with your login system

Enterprise feature

This feature is available only for the Enterprise plan. To get started, reach out to support@buildwithfern.com.

With JWT, you manage the entire auth flow. This involves building and signing a fern_token cookie that integrates your docs with your existing login system. Like OAuth, JWT enables:

Login only — gate docs behind authentication
RBAC — restrict content by user role
API key injection — pre-fill API keys in the API Explorer

How it works

A user clicks Login on your docs site and is redirected to your authentication page.
After authentication, your system signs a JWT with a secret key from Fern and sets it as a fern_token cookie.
Fern reads the token to determine the user’s access and credentials.

Architecture diagram

Configuration

Get your secret key

Reach out to Fern to get your secret key and send them the URL of your authentication page. This is where users are redirected after clicking Login.

Build the `fern` claim

The JWT payload must include a fern claim. What you include in the token’s fern claim controls which features are enabled: login only, RBAC, or API key injection.

1 {
2   "fern": {}
3 }

Enable RBAC or API key injection (optional)

Once your fern_token is working, configure the features you need:

Role-based access control — define roles in docs.yml and restrict navigation items or page content by role.
API key injection — configure the playground payload, including custom headers, multiple API keys, and per-environment credentials.

Enterprise feature

This feature is available only for the Enterprise plan. To get started, reach out to support@buildwithfern.com.

With JWT, you manage the entire auth flow. This involves building and signing a fern_token cookie that integrates your docs with your existing login system. Like OAuth, JWT enables:

Login only — gate docs behind authentication
RBAC — restrict content by user role
API key injection — pre-fill API keys in the API Explorer

How it works

A user clicks Login on your docs site and is redirected to your authentication page.
After authentication, your system signs a JWT with a secret key from Fern and sets it as a fern_token cookie.
Fern reads the token to determine the user’s access and credentials.

Architecture diagram

Configuration

Get your secret key

Reach out to Fern to get your secret key and send them the URL of your authentication page. This is where users are redirected after clicking Login.

Build the `fern` claim

The JWT payload must include a fern claim. What you include in the token’s fern claim controls which features are enabled: login only, RBAC, or API key injection.

1 {
2   "fern": {}
3 }

Enable RBAC or API key injection (optional)

Once your fern_token is working, configure the features you need:

Role-based access control — define roles in docs.yml and restrict navigation items or page content by role.
API key injection — configure the playground payload, including custom headers, multiple API keys, and per-environment credentials.

1	import { SignJWT } from "jose";
2	import { cookies } from "next/headers";
3	import { type NextRequest, NextResponse } from "next/server";
4
5	export async function GET(req: NextRequest): Promise<NextResponse> {
6	const domain = getDomain(req); // your logic to determine the docs domain
7
8	// use the state param to determine redirect location
9	const returnTo = req.nextUrl.searchParams.get("state");
10	const redirectLocation = returnTo ?? `https://${domain}`;
11
12	// fetch the user's API key, roles, and secret (from your config or database)
13	const apiKey = await getApiKeyForUser();
14	const roles = await getRolesForUser();
15	const secret = await getSecretForDomain(domain);
16
17	if (!secret) {
18	// redirect with an error if credentials are missing
19	const url = new URL(redirectLocation);
20	url.searchParams.set("error", "missing_credentials");
21	return NextResponse.redirect(url);
22	}
23
24	// mint the JWT using the secret key
25	const fernToken = await mintFernToken({ secret, apiKey, roles });
26
27	if (!fernToken) {
28	const url = new URL(redirectLocation);
29	url.searchParams.set("error", "token_creation_failed");
30	return NextResponse.redirect(url);
31	}
32
33	// set the fern_token as a cookie on the docs domain
34	const cookieJar = await cookies();
35	cookieJar.set("fern_token", fernToken, {
36	httpOnly: true,
37	secure: true,
38	sameSite: "lax",
39	domain,
40	});
41
42	// redirect the user back to the docs
43	return NextResponse.redirect(redirectLocation);
44	}
45
46	const encoder = new TextEncoder();
47
48	async function mintFernToken({
49	secret,
50	apiKey,
51	roles,
52	}: {
53	secret: string;
54	apiKey?: string;
55	roles?: string[];
56	}): Promise<string> {
57	const fern: Record<string, unknown> = {};
58
59	if (roles) {
60	fern.roles = roles;
61	}
62
63	if (apiKey) {
64	fern.playground = {
65	initial_state: {
66	auth: {
67	bearer_token: apiKey,
68	},
69	},
70	};
71	}
72
73	return await new SignJWT({ fern })
74	.setProtectedHeader({ alg: "HS256", typ: "JWT" })
75	.setIssuedAt()
76	.setExpirationTime("1d") // set to any value
77	.setIssuer("https://buildwithfern.com")
78	.sign(encoder.encode(secret)); // sign using the secret provided by Fern
79	}

1	import { SignJWT } from "jose";
2	import { cookies } from "next/headers";
3	import { type NextRequest, NextResponse } from "next/server";
4
5	export async function GET(req: NextRequest): Promise<NextResponse> {
6	const domain = getDomain(req); // your logic to determine the docs domain
7
8	// use the state param to determine redirect location
9	const returnTo = req.nextUrl.searchParams.get("state");
10	const redirectLocation = returnTo ?? `https://${domain}`;
11
12	// fetch the user's API key, roles, and secret (from your config or database)
13	const apiKey = await getApiKeyForUser();
14	const roles = await getRolesForUser();
15	const secret = await getSecretForDomain(domain);
16
17	if (!secret) {
18	// redirect with an error if credentials are missing
19	const url = new URL(redirectLocation);
20	url.searchParams.set("error", "missing_credentials");
21	return NextResponse.redirect(url);
22	}
23
24	// mint the JWT using the secret key
25	const fernToken = await mintFernToken({ secret, apiKey, roles });
26
27	if (!fernToken) {
28	const url = new URL(redirectLocation);
29	url.searchParams.set("error", "token_creation_failed");
30	return NextResponse.redirect(url);
31	}
32
33	// set the fern_token as a cookie on the docs domain
34	const cookieJar = await cookies();
35	cookieJar.set("fern_token", fernToken, {
36	httpOnly: true,
37	secure: true,
38	sameSite: "lax",
39	domain,
40	});
41
42	// redirect the user back to the docs
43	return NextResponse.redirect(redirectLocation);
44	}
45
46	const encoder = new TextEncoder();
47
48	async function mintFernToken({
49	secret,
50	apiKey,
51	roles,
52	}: {
53	secret: string;
54	apiKey?: string;
55	roles?: string[];
56	}): Promise<string> {
57	const fern: Record<string, unknown> = {};
58
59	if (roles) {
60	fern.roles = roles;
61	}
62
63	if (apiKey) {
64	fern.playground = {
65	initial_state: {
66	auth: {
67	bearer_token: apiKey,
68	},
69	},
70	};
71	}
72
73	return await new SignJWT({ fern })
74	.setProtectedHeader({ alg: "HS256", typ: "JWT" })
75	.setIssuedAt()
76	.setExpirationTime("1d") // set to any value
77	.setIssuer("https://buildwithfern.com")
78	.sign(encoder.encode(secret)); // sign using the secret provided by Fern
79	}

Enterprise feature

How it works

Architecture diagram

Configuration

Get your secret key

Build the fern claim

Set the fern_token cookie

Example: Complete callback endpoint

Enable RBAC or API key injection (optional)

Enterprise feature

How it works

Architecture diagram

Configuration

Get your secret key

Build the fern claim

Set the fern_token cookie

Example: Complete callback endpoint

Enable RBAC or API key injection (optional)

Build the `fern` claim

Set the `fern_token` cookie

Build the `fern` claim

Set the `fern_token` cookie