JWT doesn't seem to work?

Hi, I am trying to get my rasa core to secure through JWT, but it doesn’t seem to work at all.

I am running rasa core as REST via: python -m rasa_core.run --enable_api --credentials credentials.yml --jwt_secret thisismysecret -d models/dialogue -u models/nlu -o out.log

Then I make a request without any JWT header: curl -d '{"sender":"me", "message":"hi"}' -X POST -H "Content-Type: application/json" http://localhost:5005/webhooks/rest/webhook

And I just get a response perfectly fine.

How can I enforce JWT? Using rasa-core 0.11.12

EDIT: So I realized the same holds for auth_token. Apparently the /conversations endpoints are protected, but the actual webhook is not. This makes little sense since /conversations manipulates state directly but of course the webhook does so as well but indirectly… Is this by design? How can I secure my rasa API?

can you post an issue on rasa core please?

I did: JWT authentication not working? · Issue #1265 · RasaHQ/rasa_core · GitHub

1 Like