Skip to content

PostgREST JWT Secret

Service Name: PostgREST

Service Description: PostgREST is an open-source web server that automatically turns your PostgreSQL database into a RESTful API. It uses JWT (JSON Web Tokens) for authentication, allowing secure access to your database through API endpoints.

Service Address: https://postgrest.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the PostgreSQL database level or through a reverse proxy in front of PostgREST.

Secret Access Scope: The JWT secret is used to sign and verify JSON Web Tokens that grant access to the PostgREST API. It controls authentication and authorization to your PostgreSQL database through the REST API.

Secret Revokement URL: Does not exist (requires changing the secret in the PostgREST configuration file)

Secret Example: 5up3r53cr3tk3yf0rp05tgr35t

Suspicious Activity Investigation Instructions:

  • Review PostgreSQL database logs for unusual query patterns or access attempts
  • Check API access logs for unexpected requests or authentication attempts
  • Monitor for unusual database operations or data access patterns
  • Verify if there are any unauthorized schema changes or role modifications
  • Look for unexpected JWT token generations or validations

Mitigation Instructions:

  • Immediately change the JWT secret in your PostgREST configuration file
  • Restart the PostgREST service to apply the new secret
  • Update any client applications with the new JWT secret
  • Review and potentially revoke any existing JWT tokens
  • Consider implementing token expiration with shorter timeframes
  • Audit PostgreSQL roles and permissions to ensure proper access controls
  • Consider implementing additional security measures like rate limiting or IP

restrictions