Skip to content

Enhance Transform Rules

You can forward information from a JSON Web Token (JWT) to the origin in a header by creating Transform Rules using claims that Cloudflare has verified via the JSON Web Token.

Claims are available through the http.request.jwt.claims firewall fields.

For example, the following expression will extract the user claim from a token processed by the Token Configuration with TOKEN_CONFIGURATION_ID:

lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name")

​​Refer to Configure JWT Validation for more information about creating a Token Configuration.

Create a Transform Rule

As an example, to send the header x-send-jwt-claim-user request header to the origin, you must create a Transform Rule:

  1. Log in to the Cloudflare dashboard and select your account and domain.
  2. Go to Rules > Transform Rules.
  3. Select Modify Request Header > Create rule.
  4. Enter a rule name and a filter expression, if applicable.
  5. Choose Set dynamic.
  6. Set the header name.
  7. Set the value to lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name"), where <TOKEN_CONFIGURATION_ID> is your token configuration ID found in JWT Validation and claim_name is the JWT claim you want to add to the header.

Available fields

You can create Transform Rules using more claims present in tokens processed by JWT Validation.

  • http.request.jwt.claims.aud,
  • http.request.jwt.claims.aud.names,
  • http.request.jwt.claims.aud.values,
  • http.request.jwt.claims.iat.sec,
  • http.request.jwt.claims.iat.sec.names,
  • http.request.jwt.claims.iat.sec.values,
  • http.request.jwt.claims.iss,
  • http.request.jwt.claims.iss.names,
  • http.request.jwt.claims.iss.values,
  • http.request.jwt.claims.jti,
  • http.request.jwt.claims.jti.names,
  • http.request.jwt.claims.jti.values,
  • http.request.jwt.claims.nbf.sec,
  • http.request.jwt.claims.nbf.sec.names,
  • http.request.jwt.claims.nbf.sec.values,
  • http.request.jwt.claims.sub,
  • http.request.jwt.claims.sub.names,
  • http.request.jwt.claims.sub.values,
  • cf.api_gateway.auth_id_present,
  • cf.api_gateway.request_violates_schema