wundergraph · alepane21 · Jan 12, 2026 · Jan 8, 2026
@@ -1451,6 +1451,7 @@ This is useful when you want to connect to a JWKS endpoint
 | --------------------------------------------------------------------------- | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -----------------|
 | url                                                                         | <Icon icon="square-check" iconType="solid" />  | The URL of the JWKs. The JWKs are used to verify the JWT (JSON Web Token). The URL is specified as a string with the format 'scheme://host:port'.                                                                                                                                     |                  |
 | refresh_interval                                                            | <Icon icon="square" />                         | The interval at which the JWKs are refreshed. The period is specified as a string with a number and a unit, e.g. 10ms, 1s, 1m, 1h. The supported units are 'ms', 's', 'm', 'h'.                                                                                                       | 1m               |
+| allowed_use                                                                 | <Icon icon="square" />                         | The allowed value of the use parameter for the JWKs. If not specified, only keys with use set to 'sig' will be used. If your server provides no use, you can add an empty value to allow those keys.                                                                                  | ["sig"]          |
 | algorithms                                                                  | <Icon icon="square" />                         | The allowed algorithms for the keys that are retrieved from the JWKs. An empty list means that all algorithms are allowed. The following algorithms are supported "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA"                            | [] (all allowed) |
 | refresh_unknown_kid.enabled                                                 | <Icon icon="square" />                         | Enable automatic JWKS refresh when encountering a valid token with an unknown KID (Key ID). When enabled, the router will fetch updated keys to find the matching KID.                                                                                                                | false            |
 | refresh_unknown_kid.max_wait                                                | <Icon icon="square" />                         | Maximum time a refresh is allowed to wait. If the computed wait would exceed this value, the request fails immediately with 401 Unauthorized instead of waiting.                                                                                                                      | 2m               |