Metrics for JWT validation?
42 views
Skip to first unread message
Fabrice Triboix
Sep 24, 2025, 7:19:04 AMSep 24
to envoy-users
Hello,
Does Envoy generate metrics related to JWT validation? We are specifically interested in errors, ideally with details on what occurred exactly.
I just had a look at the Envoy documentation, but I can't find anything about such metrics...
Thanks for your help!
Fabrice
Ignasi Barrera
Sep 24, 2025, 9:31:56 AMSep 24
to Fabrice Triboix, envoy-users
Yes,
http.<stat prefix>.jwt_authn.allowed
http.<stat prefix>.jwt_authn.cors_preflight_bypassed
http.<stat prefix>.jwt_authn.denied
http.<stat prefix>.jwt_authn.jwks_fetch_failed
http.<stat prefix>.jwt_authn.jwks_fetch_success
http.<stat prefix>.jwt_authn.jwt_cache_hit
http.<stat prefix>.jwt_authn.jwt_cache_miss
There are the following stats:
http.<stat prefix>.jwt_authn.allowed
http.<stat prefix>.jwt_authn.cors_preflight_bypassed
http.<stat prefix>.jwt_authn.denied
http.<stat prefix>.jwt_authn.jwks_fetch_failed
http.<stat prefix>.jwt_authn.jwks_fetch_success
http.<stat prefix>.jwt_authn.jwt_cache_hit
http.<stat prefix>.jwt_authn.jwt_cache_miss
The stats are simple counters and do not contain additional details, though. You may need to refer to the "jwt" debug logs to get further details on the reason.
Regards,
I.
--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/envoy-users/10ab642b-3906-42de-8ddc-0787c359ed8en%40googlegroups.com.
Fabrice Triboix
Sep 26, 2025, 4:02:46 AMSep 26
to envoy-users
Hi Ignasi,
Thanks for your answer. I created a curl pod and when I curl the Envoy sidecar, I can't see any metrics with `jwt` in their name:
~ $ curl -sSL http://100.72.49.132:15020/stats/prometheus | tail -10 envoy_server_initialization_time_ms_bucket{le="10000"} 1 envoy_server_initialization_time_ms_bucket{le="30000"} 1 envoy_server_initialization_time_ms_bucket{le="60000"} 1 envoy_server_initialization_time_ms_bucket{le="300000"} 1 envoy_server_initialization_time_ms_bucket{le="600000"} 1 envoy_server_initialization_time_ms_bucket{le="1800000"} 1 envoy_server_initialization_time_ms_bucket{le="3600000"} 1 envoy_server_initialization_time_ms_bucket{le="+Inf"} 1 envoy_server_initialization_time_ms_sum{} 924.99999999999988631316227838397 envoy_server_initialization_time_ms_count{} 1 ~ $ curl -sSL http://100.72.49.132:15020/stats/prometheus | grep jwt ~ $
~ $ curl -sSL http://100.72.49.132:15020/stats/prometheus | tail -10 envoy_server_initialization_time_ms_bucket{le="10000"} 1 envoy_server_initialization_time_ms_bucket{le="30000"} 1 envoy_server_initialization_time_ms_bucket{le="60000"} 1 envoy_server_initialization_time_ms_bucket{le="300000"} 1 envoy_server_initialization_time_ms_bucket{le="600000"} 1 envoy_server_initialization_time_ms_bucket{le="1800000"} 1 envoy_server_initialization_time_ms_bucket{le="3600000"} 1 envoy_server_initialization_time_ms_bucket{le="+Inf"} 1 envoy_server_initialization_time_ms_sum{} 924.99999999999988631316227838397 envoy_server_initialization_time_ms_count{} 1 ~ $ curl -sSL http://100.72.49.132:15020/stats/prometheus | grep jwt ~ $
Fabrice Triboix
Sep 26, 2025, 4:02:51 AMSep 26
to envoy-users
Hi Ignasi,
~ $ curl -sSL http://100.72.49.132:15020/stats/prometheus | tail -10 envoy_server_initialization_time_ms_bucket{le="10000"} 1 envoy_server_initialization_time_ms_bucket{le="30000"} 1 envoy_server_initialization_time_ms_bucket{le="60000"} 1 envoy_server_initialization_time_ms_bucket{le="300000"} 1 envoy_server_initialization_time_ms_bucket{le="600000"} 1 envoy_server_initialization_time_ms_bucket{le="1800000"} 1 envoy_server_initialization_time_ms_bucket{le="3600000"} 1 envoy_server_initialization_time_ms_bucket{le="+Inf"} 1 envoy_server_initialization_time_ms_sum{} 924.99999999999988631316227838397 envoy_server_initialization_time_ms_count{} 1 ~ $ curl -sSL http://100.72.49.132:15020/stats/prometheus | grep jwt ~ $
Thanks for your answer. I just checked a specific deployment that I know for sure uses JWT validation. I created a curl pod and curled the metrics endpoint, and I can't see any metric with `jwt` is their name...
~ $ curl -sSL http://100.72.49.132:15020/stats/prometheus | tail -10 envoy_server_initialization_time_ms_bucket{le="10000"} 1 envoy_server_initialization_time_ms_bucket{le="30000"} 1 envoy_server_initialization_time_ms_bucket{le="60000"} 1 envoy_server_initialization_time_ms_bucket{le="300000"} 1 envoy_server_initialization_time_ms_bucket{le="600000"} 1 envoy_server_initialization_time_ms_bucket{le="1800000"} 1 envoy_server_initialization_time_ms_bucket{le="3600000"} 1 envoy_server_initialization_time_ms_bucket{le="+Inf"} 1 envoy_server_initialization_time_ms_sum{} 924.99999999999988631316227838397 envoy_server_initialization_time_ms_count{} 1 ~ $ curl -sSL http://100.72.49.132:15020/stats/prometheus | grep jwt ~ $
On Wednesday, 24 September 2025 at 14:31:56 UTC+1 Ignasi Barrera wrote:
Fabrice Triboix
Sep 26, 2025, 4:02:57 AMSep 26
to envoy-users
Hi Ignasi,
Thanks for your response.
I can't see any metric with `jwt` in their names...
Also, I assume the dot are converted into underscores before being scraped by Prometheus, correct?
Lastly, could you please explain to me what is this "stat prefix"?
Thanks a lot for your help!
Fabrice
On Wednesday, 24 September 2025 at 14:31:56 UTC+1 Ignasi Barrera wrote:
Reply all
Reply to author
Forward
0 new messages