Client Authentication Enhancements
Centrifugo OSS provides JWT-based client authentication. It's a very powerful mechanism because it helps a lot to reduce load on your session backend when dealing with many concurrent connections and massive reconnections from time to time. Centrifugo PRO comes with extra features for more convenient client authentication management.

Extracting meta from JWT claims
Centrifugo PRO can automatically extract and populate connection meta object from JWT token claims based on the mapping in the configuration. This allows more convenient work with JWTs which are not under user's control, i.e., issued by third-party identity providers.
This feature is available since Centrifugo PRO v6.5.0, currently in beta status. Beta status means we can tweak some implementation details based on user feedback before marking it as stable.
This metadata is then available throughout the connection lifecycle and can be used in:
- CEL expressions for authorization
- Proxy requests (passed in per-call data)
- Connection introspection
Example configuration
Meta claims extraction is configured using the meta_from_claim StringKeyValues option in the token configuration:
- Keys are the field names to use in the resulting
metaobject (to be placed onmetaobject top level) - Values are paths to extract values from JWT claims (may have
.for extracting nested objects from JWT claims)
Let's say we have the following configuration:
{
"client": {
"token": {
"hmac_secret_key": "your-secret-key",
"meta_from_claim": [
{
"key": "role",
"value": "user.role"
},
{
"key": "dept",
"value": "user.department"
},
{
"key": "access_level",
"value": "permissions.level"
},
{
"key": "features",
"value": "enabled_features"
},
{
"key": "info",
"value": "custom-info"
}
]
}
}
}
Given a connection JWT with the following claims:
{
"sub": "user123",
"exp": 1234567890,
"user": {
"role": "admin",
"department": "engineering"
},
"permissions": {
"level": 5
},
"enabled_features": ["dashboard", "api"],
"custom-info": "some info"
}
With the example configuration above, Centrifugo will:
- Extract
user.roleand map it torolein meta - Extract
user.departmentand map it todeptin meta - Etc.
The connection will have the following meta object:
{
"role": "admin",
"dept": "engineering",
"access_level": 5,
"features": ["dashboard", "api"],
"info": "some info"
}
Implementation notes
- Meta field names (the keys in the
meta_from_claimmap) must follow^[A-Za-z_][A-Za-z0-9_]*$regex. This is validated on Centrifugo start. - Meta claims extraction allows using dots for extracting values from nested JWT claim objects. In
meta_from_claimvalues, Centrifugo does not allow using special characters like@#[]{}*?!by default, but you can use the\character to escape them if needed. Values are validated on Centrifugo start. - If a path in
meta_from_claimvalue doesn't exist in the JWT token, it will be silently skipped. Only claims that exist in the token will be extracted. - If your JWT token already contains a
metaclaim, the extracted fields will override the existing fields. - Meta claims extraction only works for connection tokens, not subscription tokens. Subscription tokens do not support the
metaclaim.
Try it: claim mapping explorer
Edit the JWT claims, meta_from_claim, and labels_from_claim below and watch the resulting connection meta and labels — including which mappings were extracted, overrode an existing value, or were silently skipped. It also handles the labels_from_claim mapping described in the next section, and generates the config to reproduce it.
JWT claim mapping explorer
meta + labelsmeta_from_claimlabels_from_claim^[A-Za-z_][A-Za-z0-9_]*$. Paths are simple dot paths; escape a literal dot as \.{
"role": "admin",
"dept": "engineering",
"access_level": 5,
"features": [
"dashboard",
"api"
],
"info": "some info"
}{
"region": "eu",
"tier": "pro"
}- ✓meta.role — set meta.role from "user.role"