Grafana version: 12.3.2, docker (latest, actually grafana/grafana-oss:12.3.2)
Operating system: Docker image under Debian GNU/Linux 13 (trixie) and Windows 11
What are you trying to achieve?
Login with JWT token in url or header.
How are you trying to achieve it?
I followed the documentation, then tried many configurations, then tried anything I found online.
I also tried on two different systems (Docker container on Windows 11 locally and Docker container on Debian 13, exposed via NGINX) with the same outcome.
Here I will paste the latest version of my configuration:
[auth.jwt]
enabled = true
url_login = true
; also tried with header_name = X-JWT-Assertion
skip_org_role_sync = true
; also tried turning this to "false"
username_claim=sub
email_claim=email
; also tried with paths instead of claims
key_file = /etc/grafana/key_file.pub.pem
; double checked, it should be readable and matches with private one
allow_assign_grafana_admin = false
auto_assign_org_role = Viewer
; tried also removing this and using role_attribute_path
I also checked under “Home > Administration > General > Settings” on the UI (as admin), and the configuration looked ok.
And here is a sample token (related to the latest configuration you find up here^):
{
header: { alg: ‘RS384’, typ: ‘JWT’ },
payload: {
sub: ‘test.user’,
email: ‘test@localhost’,
iss: ‘aaa.example.com’,
nbf: 1770390210,
iat: 1770390215,
exp: 1770393815
},
signature: ‘***’
}
I double checked the token (also by subbmitting it on jwt.io with its public key) and it was correct (verified).
What appened?
Grafana keeps redirecting me to the login page even though the key and JWT token seem to be correct (I tested the token in three different ways and it’s being verified, also the payload seems ok).
Logs are showing this:
logger=context userId=0 orgId=0 uname= t=2026-02-04T15:40:04.975184679Z level=debug msg=“Failed to authenticate user in global scope” error=“[auth.identity.unsupported] invalid identity type”
What did you expect to happen?
I should land on any Grafana dashboard (or any other available ui page) as an authenticated user.
I somehow managed to make it work in the past, but now I’m not able to reproduce the functionality. It might be because of the docker image update (I have been using a different Grafana version, don’t remember which one at the moment), or maybe something else, not sure.
Did you follow any online instructions? If so, what is the URL?
Official documentation (Configure JWT authentication | Grafana documentation), then tried myself and everything I found online. At some point I was so frustrated that I tried by following Gemini 3 Pro with Google grounding, but it didn’t work.
Logs are not helping, documentation is not helping, neither other posts on this forum or Stack Overflow, or other resources online.
Under the Debian 13 deployment, where requests are proxed by NGINX, I also tried using an header instead of `auth_token` query parameter. I verified that NGINX was correctly passing the “X-JWT-Assertion” header, and that the configuration correctly reported the “header_name = X-JWT-Assertion” line, but it made no difference.
Question
Is there something I’m missing?
Is there something else I could try?
Any help would be appreciated.