apache · davsclaus · May 21, 2026 · May 20, 2026
diff --git a/.../generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json b/.../generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json
@@ -215,6 +215,8 @@
     { "name": "camel.management.infoPath", "required": false, "description": "The path endpoint used to expose the info status", "sourceType": "org.apache.camel.main.HttpManagementServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "defaultValue": "\/observe\/info", "secret": false },
     { "name": "camel.management.jolokiaEnabled", "required": false, "description": "Whether to enable jolokia. If enabled then you can access jolokia api on context-path: \/observe\/jolokia", "sourceType": "org.apache.camel.main.HttpManagementServerConfigurationProperties", "type": "boolean", "javaType": "boolean", "defaultValue": false, "secret": false },
     { "name": "camel.management.jolokiaPath", "required": false, "description": "The path endpoint used to expose the jolokia data.", "sourceType": "org.apache.camel.main.HttpManagementServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "defaultValue": "\/observe\/jolokia", "secret": false },
+    { "name": "camel.management.jwtAudience", "required": false, "description": "Expected JWT audience (aud claim) for token validation. Multiple values can be separated by comma. When set, tokens whose audience does not contain any of the configured values are rejected.", "sourceType": "org.apache.camel.main.HttpManagementServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },
+    { "name": "camel.management.jwtIssuer", "required": false, "description": "Expected JWT issuer (iss claim) for token validation. When set, tokens whose issuer does not match are rejected.", "sourceType": "org.apache.camel.main.HttpManagementServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },
     { "name": "camel.management.jwtKeystorePassword", "required": false, "description": "Password from the keystore used for JWT tokens validation.", "sourceType": "org.apache.camel.main.HttpManagementServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": true, "security": "secret" },
     { "name": "camel.management.jwtKeystorePath", "required": false, "description": "Path to the keystore file used for JWT tokens validation.", "sourceType": "org.apache.camel.main.HttpManagementServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },
     { "name": "camel.management.jwtKeystoreType", "required": false, "description": "Type of the keystore used for JWT tokens validation (jks, pkcs12, etc.).", "sourceType": "org.apache.camel.main.HttpManagementServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },
@@ -332,6 +334,8 @@
     { "name": "camel.server.fileUploadDirectory", "required": false, "description": "Directory to temporary store file uploads while Camel routes the incoming request. If no directory has been explicit configured, then a temporary directory is created in the java.io.tmpdir directory.", "sourceType": "org.apache.camel.main.HttpServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },
     { "name": "camel.server.fileUploadEnabled", "required": false, "description": "Whether to enable file uploads being supported (such as POST multipart\/form-data) and stored into a temporary directory.", "sourceType": "org.apache.camel.main.HttpServerConfigurationProperties", "type": "boolean", "javaType": "boolean", "defaultValue": true, "secret": false },
     { "name": "camel.server.host", "required": false, "description": "Hostname to use for binding embedded HTTP server", "sourceType": "org.apache.camel.main.HttpServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "defaultValue": "0.0.0.0", "secret": false },
+    { "name": "camel.server.jwtAudience", "required": false, "description": "Expected JWT audience (aud claim) for token validation. Multiple values can be separated by comma. When set, tokens whose audience does not contain any of the configured values are rejected.", "sourceType": "org.apache.camel.main.HttpServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },
+    { "name": "camel.server.jwtIssuer", "required": false, "description": "Expected JWT issuer (iss claim) for token validation. When set, tokens whose issuer does not match are rejected.", "sourceType": "org.apache.camel.main.HttpServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },
     { "name": "camel.server.jwtKeystorePassword", "required": false, "description": "Password from the keystore used for JWT tokens validation.", "sourceType": "org.apache.camel.main.HttpServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": true, "security": "secret" },
     { "name": "camel.server.jwtKeystorePath", "required": false, "description": "Path to the keystore file used for JWT tokens validation.", "sourceType": "org.apache.camel.main.HttpServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },
     { "name": "camel.server.jwtKeystoreType", "required": false, "description": "Type of the keystore used for JWT tokens validation (jks, pkcs12, etc.).", "sourceType": "org.apache.camel.main.HttpServerConfigurationProperties", "type": "string", "javaType": "java.lang.String", "secret": false },

diff --git a/components/camel-platform-http-main/src/main/docs/platform-http-main.adoc b/components/camel-platform-http-main/src/main/docs/platform-http-main.adoc
@@ -42,6 +42,30 @@ These features are as follows:
 
 You configure these features in the `application.properties` file using the `camel.server.xxx` and `camel.management.xxx` options.
 
+== JWT authentication
+
+The embedded HTTP server can validate JWT bearer tokens on incoming requests.
+Token signatures are verified against a keystore, and the `exp` and `nbf` claims
+are checked by default. Set `jwtIssuer` and/or `jwtAudience` to also validate
+the `iss` and `aud` claims.
+
+[source,properties]
+----
+camel.server.enabled=true
+camel.server.authenticationEnabled=true
+camel.server.authenticationPath=/*
+
+camel.server.jwtKeystoreType=jks
+camel.server.jwtKeystorePath=keystore.jks
+camel.server.jwtKeystorePassword=changeme
+
+camel.server.jwtIssuer=https://issuer.example.com
+camel.server.jwtAudience=api,internal-api
+----
+
+`jwtAudience` accepts a comma-separated list of values. A token is accepted if
+its `aud` claim contains any of the configured values.
+
 == See More
 
 - xref:platform-http-vertx.adoc[Platform HTTP Vert.x]
diff --git a/...apache/camel/component/platform/http/main/authentication/JWTAuthenticationConfigurer.java b/...apache/camel/component/platform/http/main/authentication/JWTAuthenticationConfigurer.java
@@ -17,6 +17,7 @@
 package org.apache.camel.component.platform.http.main.authentication;
 
 import io.vertx.core.json.JsonObject;
+import io.vertx.ext.auth.JWTOptions;
 import io.vertx.ext.auth.authentication.AuthenticationProvider;
 import io.vertx.ext.auth.jwt.JWTAuth;
 import io.vertx.ext.auth.jwt.JWTAuthOptions;
@@ -27,6 +28,7 @@
 import org.apache.camel.component.platform.http.vertx.auth.AuthenticationConfig.AuthenticationHandlerFactory;
 import org.apache.camel.main.HttpManagementServerConfigurationProperties;
 import org.apache.camel.main.HttpServerConfigurationProperties;
+import org.apache.camel.util.ObjectHelper;
 
 public class JWTAuthenticationConfigurer implements MainAuthenticationConfigurer {
 
@@ -48,13 +50,20 @@ public <T extends AuthenticationProvider> AuthenticationHandler createAuthentica
                 return JWTAuthHandler.create(authProvider, realm);
             }
         });
-        entry.setAuthenticationProviderFactory(vertx -> JWTAuth.create(
-                vertx,
-                new JWTAuthOptions(
-                        new JsonObject().put("keyStore", new JsonObject()
-                                .put("type", properties.getJwtKeystoreType())
-                                .put("path", properties.getJwtKeystorePath())
-                                .put("password", properties.getJwtKeystorePassword())))));
+
+        entry.setAuthenticationProviderFactory(vertx -> {
+            JWTAuthOptions jwtAuthOptions = new JWTAuthOptions(
+                    new JsonObject().put("keyStore", new JsonObject()
+                            .put("type", properties.getJwtKeystoreType())
+                            .put("path", properties.getJwtKeystorePath())
+                            .put("password", properties.getJwtKeystorePassword())));
+
+            JWTOptions jwtOptions = buildJwtOptions(properties.getJwtAudience(), properties.getJwtIssuer());
+            if (jwtOptions != null) {
+                jwtAuthOptions.setJWTOptions(jwtOptions);
+            }
+            return JWTAuth.create(vertx, jwtAuthOptions);
+        });
 
         authenticationConfig.getEntries().add(entry);
         authenticationConfig.setEnabled(true);
@@ -78,15 +87,48 @@ public <T extends AuthenticationProvider> AuthenticationHandler createAuthentica
                 return JWTAuthHandler.create(authProvider, realm);
             }
         });
-        entry.setAuthenticationProviderFactory(vertx -> JWTAuth.create(
-                vertx,
-                new JWTAuthOptions(
-                        new JsonObject().put("keyStore", new JsonObject()
-                                .put("type", properties.getJwtKeystoreType())
-                                .put("path", properties.getJwtKeystorePath())
-                                .put("password", properties.getJwtKeystorePassword())))));
+
+        entry.setAuthenticationProviderFactory(vertx -> {
+            JWTAuthOptions jwtAuthOptions = new JWTAuthOptions(
+                    new JsonObject().put("keyStore", new JsonObject()
+                            .put("type", properties.getJwtKeystoreType())
+                            .put("path", properties.getJwtKeystorePath())
+                            .put("password", properties.getJwtKeystorePassword())));
+
+            JWTOptions jwtOptions = buildJwtOptions(properties.getJwtAudience(), properties.getJwtIssuer());
+            if (jwtOptions != null) {
+                jwtAuthOptions.setJWTOptions(jwtOptions);
+            }
+            return JWTAuth.create(vertx, jwtAuthOptions);
+        });
 
         authenticationConfig.getEntries().add(entry);
         authenticationConfig.setEnabled(true);
     }
+
+    private static JWTOptions buildJwtOptions(String audience, String issuer) {
+
+        boolean isAudienceEmpty = ObjectHelper.isEmpty(audience);
+        boolean isIssuerEmpty = ObjectHelper.isEmpty(issuer);
+
+        if (isAudienceEmpty && isIssuerEmpty) {
+            return null;
+        }
+
+        JWTOptions options = new JWTOptions();
+
+        if (!isAudienceEmpty) {
+            for (String a : audience.split(",")) {
+                if (ObjectHelper.isNotEmpty(a)) {
+                    options.addAudience(a.trim());
+                }
+            }
+        }
+
+        if (!isIssuerEmpty) {
+            options.setIssuer(issuer);
+        }
+
+        return options;
+    }
 }
diff --git a/.../platform/http/main/authentication/JWTIssuerAudienceAuthenticationMainHttpServerTest.java b/.../platform/http/main/authentication/JWTIssuerAudienceAuthenticationMainHttpServerTest.java
@@ -0,0 +1,164 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.platform.http.main.authentication;
+
+import io.vertx.core.Vertx;
+import io.vertx.core.json.JsonObject;
+import io.vertx.ext.auth.JWTOptions;
+import io.vertx.ext.auth.jwt.JWTAuth;
+import io.vertx.ext.auth.jwt.JWTAuthOptions;
+import org.apache.camel.CamelContext;
+import org.apache.camel.builder.RouteBuilder;
+import org.apache.camel.main.Main;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.Matchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+public class JWTIssuerAudienceAuthenticationMainHttpServerTest {
+
+    private static final String EXPECTED_ISSUER = "https://issuer.camel.example";
+    private static final String EXPECTED_AUDIENCE = "camel-api";
+    private static final String SECOND_EXPECTED_AUDIENCE = "camel-internal";
+
+    private static Main main;
+    private static JWTAuth jwtAuth;
+
+    @BeforeAll
+    static void init() {
+        main = new Main();
+        main.setPropertyPlaceholderLocations("jwt-issuer-audience-auth.properties");
+        main.configure().addRoutesBuilder(new PlatformHttpRouteBuilder());
+        main.enableTrace();
+        main.start();
+
+        jwtAuth = JWTAuth.create(Vertx.vertx(), new JWTAuthOptions(
+                new JsonObject().put("keyStore", new JsonObject()
+                        .put("type", "jks")
+                        .put("path", "test-camel-main-auth-jwt.jks")
+                        .put("password", "changeme"))));
+    }
+
+    @AfterAll
+    static void tearDown() {
+        main.stop();
+    }
+
+    @Test
+    void testNoAuthHeaderReturns401() {
+        CamelContext camelContext = main.getCamelContext();
+        assertNotNull(camelContext);
+
+        given()
+                .when()
+                .get("/main-http-test")
+                .then()
+                .statusCode(401)
+                .body(equalTo("Unauthorized"));
+    }
+
+    @Test
+    void testMatchingIssuerAndAudienceReturns200() {
+        String token = mintToken(new JWTOptions()
+                .setIssuer(EXPECTED_ISSUER)
+                .addAudience(EXPECTED_AUDIENCE));
+
+        given()
+                .header("Authorization", "Bearer " + token)
+                .when()
+                .get("/main-http-test")
+                .then()
+                .statusCode(200)
+                .body(equalTo("main-http-auth-jwt-test-response"));
+    }
+
+    @Test
+    void testMatchingIssuerAndSecondAudienceReturns200() {
+        String token = mintToken(new JWTOptions()
+                .setIssuer(EXPECTED_ISSUER)
+                .addAudience(SECOND_EXPECTED_AUDIENCE));
+
+        given()
+                .header("Authorization", "Bearer " + token)
+                .when()
+                .get("/main-http-test")
+                .then()
+                .statusCode(200)
+                .body(equalTo("main-http-auth-jwt-test-response"));
+    }
+
+    @Test
+    void testWrongIssuerReturns401() {
+        String token = mintToken(new JWTOptions()
+                .setIssuer("https://attacker.example")
+                .addAudience(EXPECTED_AUDIENCE));
+
+        given()
+                .header("Authorization", "Bearer " + token)
+                .when()
+                .get("/main-http-test")
+                .then()
+                .statusCode(401)
+                .body(equalTo("Unauthorized"));
+    }
+
+    @Test
+    void testWrongAudienceReturns401() {
+        String token = mintToken(new JWTOptions()
+                .setIssuer(EXPECTED_ISSUER)
+                .addAudience("not-in-list"));
+
+        given()
+                .header("Authorization", "Bearer " + token)
+                .when()
+                .get("/main-http-test")
+                .then()
+                .statusCode(401)
+                .body(equalTo("Unauthorized"));
+    }
+
+    @Test
+    void testMissingAudienceReturns401() {
+        String token = mintToken(new JWTOptions()
+                .setIssuer(EXPECTED_ISSUER));
+
+        given()
+                .header("Authorization", "Bearer " + token)
+                .when()
+                .get("/main-http-test")
+                .then()
+                .statusCode(401)
+                .body(equalTo("Unauthorized"));
+    }
+
+    private static String mintToken(JWTOptions jwtOptions) {
+        return jwtAuth.generateToken(new JsonObject().put("admin", "camel"), jwtOptions);
+    }
+
+    private static class PlatformHttpRouteBuilder extends RouteBuilder {
+
+        @Override
+        public void configure() throws Exception {
+            from("platform-http:/main-http-test")
+                    .log("Received request with headers: ${headers}\nWith body: ${body}")
+                    .setBody(simple("main-http-auth-jwt-test-response"));
+        }
+    }
+}
diff --git a/components/camel-platform-http-main/src/test/resources/jwt-issuer-audience-auth.properties b/components/camel-platform-http-main/src/test/resources/jwt-issuer-audience-auth.properties
@@ -0,0 +1,25 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+##      http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+camel.server.enabled=true
+
+camel.server.authenticationEnabled=true
+camel.server.authenticationPath=/*
+camel.server.jwtKeystoreType=jks
+camel.server.jwtKeystorePath=test-camel-main-auth-jwt.jks
+camel.server.jwtKeystorePassword=changeme
+camel.server.jwtIssuer=https://issuer.camel.example
+camel.server.jwtAudience=camel-api,camel-internal