Skip to navigationSkip to main contentSkip to footerScaleway DocsSparklesIconAsk our AI
SparklesIconAsk our AI
ProfileOutlineIcon Log inSign up

How to migrate from JWT to IAM authentication for private containers

AlertCircleIcon
Important
  • The authentication method with existing tokens remains available. Only the creation of new tokens will no longer be supported
  • Creating new JWT tokens will be gradually deprecated, migrating to IAM tokens is strongly encouraged as JWT creation will be disabled during 2026

Scaleway Serverless Functions and Containers used to rely on legacy JWT authentication tokens to access private resources.

This feature is now deprecated, you must therefore use Scaleway IAM to access your private functions and containers using an API key. This change allows for a better Scaleway ecosystem integration. Read the documentation on advanced access control with IAM conditions for more information.

  1. Set up IAM authentication by creating an IAM application and an API key associated with it, then grant the application the FunctionsPrivateAccess or ContainersPrivateAccess permission via an IAM policy.

  2. Delete the existing JWT for your Serverless Functions / Containers to revoke legacy authentication.

  3. Pass the secret key of your IAM application's API key via the X-Auth-Token header to call your private resource:

curl -H "X-Auth-Token: <YOUR_SECRET_KEY>" <YOUR_ENDPOINT>
InformationOutlineIcon
Note
  • Existing tokens will continue to work
  • Reading (GET/LIST) and deleting (DELETE) JWT tokens will remain available for the next months
  • No application code changes are required, only header value updates are needed

Granularity changes with IAM tokens

The JWT system allows you to create tokens for specific Serverless Namespaces and Serverless Functions and Containers. IAM tokens are scoped by projects, meaning the level of granularity will change.

To preserve the level of granularity when required, it is recommended to separate your resources within different projects.

InformationOutlineIcon
Note

While IAM granularity is not available, JWT system will continue to work

Improvements are underway regarding IAM to provide a system with the same level of granularity as JWT.

Motivations of changes

When Scaleway Serverless Functions and Containers was first developed, IAM was not yet available as a service. To provide secure access to private Functions and Containers, we implemented JWT authentication as the primary authentication mechanism.

However, with the introduction and maturation of IAM, Scaleway now has a more robust and integrated authentication system. Migrating from JWT to IAM offers several advantages:

  • Better ecosystem integration: IAM is deeply integrated with all Scaleway services, providing consistent authentication and authorization patterns across the platform
  • Enhanced security features: IAM benefits from ongoing security improvements and follows best practices for authentication
  • Rapid evolution: IAM is actively developed and will receive frequent updates and new features, ensuring your authentication system stays current
  • Unified management: Using IAM for authentication centralizes access control management across all Scaleway resources

As IAM continues to evolve rapidly, it will offer capabilities that improve what the legacy JWT system could provide, making it the preferred authentication method for Serverless Functions and Containers.

See Also
ArrowLeftIconHow to manage authentication for private containersHow to secure a containerArrowRightIcon
Still need help?

Create a support ticketArrowRightIcon
SearchIcon
No Results