# Authentication Enforcement

#### Overview

CloudGuard WAF’s Authentication Enforcement ensures that only authorized requests can access your protected web application. It validates incoming requests against the configured authentication type and can detect/block unauthenticated or improperly authenticated traffic.

### **How to set up** Authentication Enforcement

#### **Configuration Options**

<figure><img src="/files/xNpkulADF4EhEAznD5kw" alt=""><figcaption></figcaption></figure>

* **Authentication Type**\
  Currently, only **JWT (JSON Web Token)** is supported.
* **Existence Verification** \
  Ensures that an authentication token is present.
* **Authentication Expiration**\
  Validates that the token has not expired.

{% hint style="info" %}
A default tolerance period of 5 minutes is applied to the expiration time.
{% endhint %}

* **Signature Verification**\
  Verifies the JWT using the uploaded public key.

{% hint style="info" %}
Signature Verification supports the following **asymmetric algorithms**: RS256, RS512, ES256, ES385, ES512.
{% endhint %}

**Unauthenticated Endpoints**

By default, this protection applies to the entire asset.

* If you want to **exclude specific URIs**, you can define them here.

#### **Response Code for Unauthorized Access**

{% hint style="danger" %}
The default response status code is 403 when a request is blocked, which might cause unexpected behavior, the following section explains how to configure 401 response code to align with authentication best practices.
{% endhint %}

To return a `401 Unauthorized` response for blocked requests follow the steps bellow:

1. create a dedicated [Web User Response](/setup-instructions/setup-web-user-response-pages.md), with the following configurations:
   * Mode: `Response Code Only`&#x20;
   * HTTP Response Code: `401`

<div data-full-width="false"><figure><img src="/files/9G2O6fL33pK9l1YzJjYu" alt="" width="199"><figcaption></figcaption></figure></div>

2. Assign the Web User Response to the practice.

<figure><img src="/files/5nSrXs1V3T5rnL2e2QNj" alt="" width="375"><figcaption></figcaption></figure>

3. Enforce Policy.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/authentication-enforcement.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.