Token-based Authentication User Attribution

Updated
  • 7 minute(s) read
Prev Next

The token-based authentication method uses a token to transmit the user ID, role, scope, and other information. When setting up this method, you must specify the conditions for Traceable to extract and transform the JWT token and define the attributes according to your requirements. This authentication method is secure and scalable for user attribution, as it embeds the user's ID, role, and scope in the token, which the server can easily verify.

What will you learn in this topic?

By the end of this topic, you will be able to:

  • Understand how token-based authentication links API requests to authenticated users.

  • Learn how to define the authentication scope for your environment and services.

  • Learn how to extract and transform the JWT token from requests.

  • Learn how to map JWT claims to authentication attributes for user attribution.

Understand token-based authentication user attribution

Token-based authentication user attribution helps you identify who is accessing your APIs by extracting identity claims from JWT or bearer tokens. It connects each request to a verified user and enriches it with contextual information such as role and scope, improving visibility, control, and threat analysis. The table below explains why you use it, when it applies, and how you can leverage it.

Why use it?

When to use?

How can you leverage it?

You gain deep visibility into authenticated API activity by extracting identity claims such as user ID, role, and scope directly from JWT tokens. This enables accurate, scalable, and context-rich user attribution without relying on static credentials, improving observability and security insights across your APIs.

You use this when your application relies on JWT or bearer tokens for authentication, and identity claims are available in request headers, body, or cookies. It is especially relevant when you need user-level context for analytics, policy enforcement, or security evaluation across environments and services.

You attribute each API request to a verified user and enrich it with contextual claims to strengthen monitoring, auditing, and compliance. You correlate user roles and privileges with anomalies, detect misuse of access controls, and apply conditions and transformations (such as Regex, Base64 decoding, and JSON Path) to accurately extract, validate, preview, and enforce user attribution rules.

Steps to configure

To configure token-based authentication, complete the following steps:

Step 1 — Define the authentication scope

  1. Specify the Name.

  2. (Optional) Specify a Description for the configuration.

  3. Select the Environment in which you wish to apply the configuration.

  4. Select the Services on which Traceable should apply the configuration. You can either select all or specific services from the drop-down according to your requirements.

  5. (Optional) Specify the URL Regex if you wish to provide a granular scope for user attribution.

  6. Click Next.

Token-Based Attribution Define Scope Window

Step 2 — Define the conditions to extract and transform the JWT token

  1. (Optional) Click + Add Condition, then select and specify the location, key, operator, and value to use when Traceable checks spans for a match. If a span satisfies the condition, Traceable further evaluates the remaining configurations.

  2. Select the Location and specify the key where Traceable can find the JWT token. While Traceable specifies this configuration by default using commonly used values, you can modify it to suit your requirements.

  3. (Optional) Click + Add Value Transformation to add either of the following custom transformations:

    • Regex Capture Group — This transformation enables you to extract specific parts of a string or value that match the pattern you define.

    • Base64 Decoder — This transformation enables you to convert encoded Base64 data back to its decoded or original format.

    • JSON Path — This transformation enables you to navigate and select a specific key within a nested JSON structure.

    While Traceable pre-adds some default transformations, you can add custom transformations. Traceable evaluates these transformations in order, from top to bottom.

    Note

    You can modify the values, if any, in the pre-added transformations and reorder them according to your requirements.

  4. Do one of the following according to your requirements:

    • If you use the default values Traceable defines, click Generate Preview in the Preview Attributes section on the right. This shows the payload and details Traceable extracts from the JWT token. You can also click View Details to see the values returned corresponding to each step above.

    • If you modified the values above, click Reload in the Preview Attributes section on the right. Post-reload, click Generate Preview to view the JWT Token extracted by Traceable. You can also click View Details to see the values returned corresponding to each attribute you configured above.

  5. Click Next.

User Attribution Token-based Extract Token Step

Step 3 — Define the authentication attributes

  1. From the list of available attributes, select the one(s) you wish to add. Depending on the attribute you select, complete the following steps:

    • User ID/User Role/User Scope/Custom:

      1. (Optional) Select the checkbox if you wish to Obfuscate the value post-attribution within the platform.

      2. (For Custom only) Specify the Key (Attribute Key) you wish to use as part of the authentication process.

      3. (Optional) Click + Add Condition, then select and specify the location, key, operator, and value to use when Traceable checks spans for a match.

      4. Specify the Claim Location in Token (JSON Path) where Traceable can find the attribute.

      5. (Optional) Click + Add Value Transformation to add either of the following custom transformations:

        • Regex Capture Group — This transformation enables you to extract specific parts of a string or value that match the pattern you define.

        • Base64 Decoder — This transformation enables you to convert encoded Base64 data back to its decoded or original format.

        • JSON Path — This transformation enables you to navigate and select a specific key within a nested JSON structure.

        You can also reorder the transformations according to your requirements. Traceable evaluates them in order, from top to bottom.

      Repeat the above steps to add one or more attributes, or complete the steps below to add the Auth Type attribute, according to your requirements.

    • Auth Type — You can select the authentication type from the drop-down list according to your requirements. You can also create a new one according to your requirements.

  2. Generate the preview of the attribute value(s) by doing one of the following:

    • If you use the default values Traceable defines, click Generate Preview in the Preview Attributes section on the right. This shows the details generated in Step 2 above, and the value(s) extracted for the attributes. You can also click View Details to see the values returned corresponding to each attribute above.

    • If you modified the values above, click Reload in the Preview Attributes section on the right. Post-reload, click Generate Preview to view the details generated in Step 2 above, and the value(s) extracted for the attributes. You can also click View Details to see the values returned corresponding to each attribute you configured above.

  3. Click Submit.

Examples and Demo

The following examples demonstrate how Traceable performs user attribution by extracting user identity claims from JWT tokens present in API requests:

Example 1 — When a JWT token is sent in the Request Header of an API

In this scenario, you must add Transformations to extract the JWT token from the header and decode it. Then, you can select the attributes you wish to identify. For example, if you consider the following JWT token and its corresponding payload for the demo, and the email claim in the payload contains the user ID. To extract it, you must add a Regex Capture Group transformation as shown in the below demo. Then, upon execution, Traceable extracts random as the user ID.

JWT Token

Payload

authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoicmFuZG9tIiwiZW1haWwiOiJyYW5kb21AdHh0LmNvbSIsInN1YiI6ImRlbW9BcHBVc2VyIiwiaXNzIjoiZGVtby1zZXJ2ZXIiLCJqdGkiOiI5ODc2NTRiMS0yMzRiLTU2NzgtYjJkNC1kNDA1YzEyMzQ1YWIiLCJhdWQiOiJkZW1vLWFwcC11c2VycyIsIm5iZiI6MTczODY0NDExNX0.zv45yfr2nK8geZeMiEvePT-NA4JG1p16VmYczmdC8A0

Note

The above JWT token is for reference purposes only.

{
  "name": "random", 
  "email": "random@txt.com",
  "sub": "demoAppUser",
  "iss": "demo-server",
  "jti": "987654b1-234b-5678-b2d4-d405c12345ab",
  "aud": "demo-app-users",
  "nbf": 1738644115
}

Example 2 — When a JWT token is sent in the Request Body of an API

In this scenario, you must add Transformations to extract the JWT token from the body and decode it. Then, you can select the attributes you wish to identify. For example, if you consider the following JWT token and its corresponding payload, then upon execution, Traceable extracts johndoe.com and Administrator as the user ID and role, respectively. Further, Traceable obfuscates these values on the platform.

JWT Token

Payload

"jwt": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MzA5MTM0MzcsImV4cCI6MTc2MjQ0OTQzNywiYXVkIjoid3d3LnRyYWNlYWJsZS5haSIsInVzZXItaWQiOiJqb2huZG9lLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG4iLCJTdXJuYW1lIjoiRG9lIiwiRW1haWwiOiJqZG9lQHRyYWNlYWJsZS5haSIsInJvbGUiOiJBZG1pbmlzdHJhdG9yIn0.YJoUiIQnEpANAJEuyQdpdwHzEOCr68xOjRvOYfcjHII"

Note

The above JWT token is for reference purposes only.

{
  "iat": 1730913437,
  "exp": 1762449437,
  "aud": "www.traceable.ai",
  "user-id": "johndoe.com",
  "GivenName": "John",
  "Surname": "Doe",
  "Email": "jdoe@traceable.ai",
  "role": "Administrator"
}

Example 3 — When a JWT token is sent in the Request Cookie of an API

In this scenario, you must remove existing Transformations to extract the JWT token from the cookie and attribute it. Then, you can select the attributes you wish to identify. For example, if you consider the following JWT token and its corresponding payload, then upon execution, Traceable extracts john.doe as the user ID. Further, Traceable obfuscates these values on the platform.

JWT Token

Payload

jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTIzNDU2Nzg5MCwiZ2l2ZW5fbmFtZSI6IkpvaG4iLCJmYW1pbHlfbmFtZSI6IkRvZSIsInVwZGF0ZWRfYXQiOiIyMDIzLTExLTEwVDE1OjE0OjAzLjY3MFoiLCJlbWFpbCI6ImpvaG4uZG9lQHRyYWNlYWJsZS5haSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjEyMzQ1Njc4OTAsInNpZCI6Ill6ei1qNWFiY2RlZmc5ajktYWJjZGVmZ2hpamsxamN6In0.-6zDczoEfNhKXyW85460oGXFvRtKwLyRuxaPx53FEDA

Note

The above JWT token is for reference purposes only.

{
  "name": "John Doe",
  "iat": 1516239022,
  "given_name": "John",
  "family_name": "Doe",
  "sub": "john.doe",
  "updated_at": "2023-11-10T15:14:03.670Z",
  "email": "john.doe@traceable.ai",
  "email_verified": true,
  "iat": 1234567890,
  "exp": 1234567890,
  "sid": "Yzz-j5abcdefg9j9-abcdefghijk1jcz"
}

Demo

The following interactive demo walks you through the steps to configure token-based user attribution:

©2025 Traceable by Harness | Terms of Service | Privacy Policy | OSS Disclosures