This is a project that showcases how to use Neon Authorize with custom JWTs. Instead of relying on JWTs that are generated by an authentication provider (Clerk, Auth0, etc.), this project uses a custom JWT that is signed by the server.
This is a HONC API which exposes a few endpoints:
/api/token— returns a custom JWT that is signed by the server/.well-known/jwks.json— returns the public key that can be used to verify the signature of the custom JWT (this is used by Neon Authorize to verify the signature of the custom JWT)/api/users— returns a list of users/api/tenants— returns a list of tenants
The schema is generated by Drizzle and can be found in src/db/schema.ts. The generated SQL is in the drizzle/ directory. There's also a seed.sql file that can be used to seed the database with some data, that is specific to this demo.
- Generate the keys that will be used to sign the JWT. You can run
bun generate-keys.tsand you will get apublicKey.jwk.jsonand aprivateKey.jwk.jsonfile. - Create a Neon project
- Set up a
wrangler.tomlfile with the following configuration:
name = "my-honc-service"
compatibility_date = "2024-07-25"
compatibility_flags = [ "nodejs_compat" ]
[vars]
# neondb_owner role
OWNER_DATABASE_URL = ""
# authenticated, passwordless role (you can keep this empty for now)
DATABASE_URL = ""
# contents of publicKey.jwk.json
PUBLIC_KEY=''
# contents of privateKey.jwk.json
PRIVATE_KEY=''- Deploy this demo with
bun run deploy. - Go to
https://my-honc-service.<your-name>.workers.dev/.well-known/jwks.jsonto verify the public key is being served appropriately. - Go to the Authorize page in the Neon console and add an auth provider (type should be "Other"), and set the JWKS URL to the URL from the previous step.
- Follow the steps in the UI to setup the roles for Neon Authorize. You should ignore the schema related steps if you're following this guide
- Apply migrations with
bun run db:migrate(you'll have to populate.dev.varswith the database URLs from the Neon console). Notice that there's 2 different database URLs that are expected in the.dev.varsfile. The first one is for theneondb_ownerrole, and the second one is for theauthenticated, passwordlessrole. - Seed the database with
bun run db:seed. - Grab the
authenticatedrole's database URL from the Neon console and set it in the.dev.varsfile, as well as in thewrangler.tomlfile. - Deploy this demo again with
bun run deploy. - Head to
https://my-honc-service.<your-name>.workers.dev/api/usersandhttps://my-honc-service.<your-name>.workers.dev/api/tenantsto verify that the API is working as intended.