How to manage authentication for NATS connections between client and backend versus backend to backend?

I am working with NATS, an Angular frontend, and a .NET backend, and I’m facing a challenge with authentication methods for different types of connections.

In my Angular application, the client connects to the NATS server using a JWT that is generated upon user login, which works perfectly. However, my .NET backend service also requires a connection to NATS for publishing and subscribing, and it generates a new token on startup. I’m concerned about the possibility of the token expiring while the server is still active.

I believe a more reliable solution could be using a user/password combination or a secret token for the backend service connection instead. Unfortunately, I’m unsure how to implement this within NATS.

Here’s the configuration for my NATS server:

# Operator token
operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJINVREWDc1Qk83SlkyTTNZRTJPNzI0UEpPUlJWWldVTzNIR1JPNU9HN01MQ1dRS05LUDdBIiwiaWF0IjoxNzE3NzQzMjcxLCJpc3MiOiJPQjVWRVFZRzc2RzRJSEdQWVg3TVFITkMzNlVPWUNOSUdEWDY0VEtEM1VKNjNaTUFHTFNOQkozSyIsIm5hbWUiOiJSV19PcGVyYXRvciIsInN1YiI6Ik9CNVZFUVlHNzZHNElIR1BZWDdNUUhOQzM2VU9ZQ05JR0RYNjRUS0QzVUo2M1pNQUdMU05CSjNLIiwibmF0cyI6eyJzaWduaW5nX2tleXMiOlsiT0I0M1pESDVUSkpVS1ZONVdSMkNGV0tBVVUzRVJGN0tMRVozUkdVTFRJMjRKUFpCUVNKTEVSUk4iXSwiYWNjb3VudF9zZXJ2ZXJfdXJsIjoibmF0czovL2xvY2FsaG9zdDo0MjIyIiwic3lzdGVtX2FjY291bnQiOiJBRE5JU0ZTVFlOVldZWkFDQzdEUTY2SVlaMjZOVVpGWTRUUTRSSzdUMko0M1hTSFFGSEg2TFkyUCIsInN0cmljdF9zaWduaW5nX2tleV91c2FnZSI6dHJ1ZSwidHlwZSI6Im9wZXJhdG9yIiwidmVyc2lvbiI6Mn19.iJuvBfktgJ6IJVHbC4M21xKcDQfZrVoYjrrlg4LTpgxM34VUHrAxNJuXetAIuCySjoQqenXUGryo9rj6ZJhRBg
# System account
system_account: ADNISFSTYNVWYZACC7DQ66IYZ26NUZFY4TQ4RK7T2J43XSHQFHH6LY2P

websocket {
    port: 443
    no_tls: true
}

# Setup for the resolver
resolver {
    type: full
    dir: './jwt'
    allow_delete: false
    interval: "2m"
    timeout: "1.9s"
}

# Preloaded JWT for the system account
resolver_preload: {
    ADNISFSTYNVWYZACC7DQ66IYZ26NUZFY4TQ4RK7T2J43XSHQFHH6LY2P: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJLWTdLRFc0WllXVktXNFczQVZXR1hMR09TRklSV0hJTVJWR09BMlpJUjczRTM0VlVVTFJBIiwiaWF0IjoxNzE3NzQzMjM1LCJpc3MiOiJPQjQzWkRINVRKSlVLVk41V1IyQ0ZXS0FVVTNFUkY3S0xFWjNSR1VMVEkyNEpQWkJRU0pMRVJSTiIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBRE5JU0ZTVFlOVldZWkFDQzdEUTY2SVlaMjZOVVpGWTRUUTRSSzdUMko0M1hTSFFGSEg2TFkyUCIsIm5hdHMiOnsiZXhwb3J0cyI6W3sibmFtZSI6ImFjY291bnQtbW9uaXRvcmluZy1zdHJlYW1zIiwic3ViamVjdCI6IiRTWVMuQUNDT1VOVC4qLlx1MDAzZSIsInR5cGUiOiJzdHJlYW0iLCJhY2NvdW50X3Rva2VuX3Bvc2l0aW9uIjozLCJkZXNjcmlwdGlvbiI6IkFjY291bnQgc3BlY2lmaWMgbW9uaXRvcmluZyBzdHJlYW0iLCJpbmZvX3VybCI6Imh0dHBzOi8vZG9jcy5uYXRzLmlvL25hdHMtc2VydmVyL2NvbmZpZ3VyYXRpb24vc3lzX2FjY291bnRzIn0seyJuYW1lIjoiYWNjb3VudC1tb25pdG9yaW5nLXNlcnZpY2VzIiwic3ViamVjdCI6IiRTWVMuUkVRLkFDQ09VTlQuKi4qIiwidHlwZSI6InNlcnZpY2UiLCJyZXNwb25zZV90eXBlIjoiU3RyZWFtIiwiYWNjb3VudF90b2tlbl9wb3NpdGlvbiI6NCwiZGVzY3JpcHRpb24iOiJSZXF1ZXN0IGFjY291bnQgc3BlY2lmaWMgbW9uaXRvcmluZyBzZXJ2aWNlcyBmb3I6IFNVQlNaLCBDT05OWiwgTEVBRlosIEpTWiBhbmQgSU5GTyIsImluZm9fdXJsIjoiaHR0cHM6Ly9kb2NzLm5hdHMuaW8vbmF0cy1zZXJ2ZXIvY29uZmlndXJhdGlvbi9zeXNfYWNjb3VudHMifV0sImxpbWl0cyI6eyJzdWJzIjotMSwiZGF0YSI6LTEsInBheWxvYWQiOi0xLCJpbXBvcnRzIjotMSwiZXhwb3J0cyI6LTEsIndpbGRjYXJkcyI6dHJ1ZSwiY29ubiI6LTEsImxlYWYiOi0xfSwic2lnbmluZ19rZXlzIjpbIkFCRElURFRPSERQVEs1S05YRVkyU1Q0NlVXUEtDUEdRWUtBTUZOVVlGVkxMTUJORFdFWEhOSDMzIl0sImRlZmF1bHRfcGVybWlzc2lvbnMiOnsicHViIjp7fSwic3ViIjp7fX0sImF1dGhvcml6YXRpb24iOnt9LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.paEVbf-2vbxM4e7_8lQCB43Zh2f8UtVwDSiJi7Z9zdkBaBNksgc0bAaYRceJgUJUTf6FUGZacBvUT7dAgA5dBw
}

I’d appreciate any guidance on configuring these two different authentication methods.

Wait, are you using connection callbacks for token refresh? How often do your backend tokens actually expire - did you set really short TTLs? You could also set up automatic renewal in your .NET service before tokens expire. What’s your current token TTL setup?

I ran into the same issue with NATS auth in mixed environments. Here’s what worked: NATS accounts can handle multiple auth methods at once by using different users in the same account. Set up your account JWT with JWT-based users for clients and credential-based users for backend services. Create a service user with static credentials for your .NET backend’s persistent connection. No more token expiration headaches since the credentials stay valid as long as the user exists. Your backend connects with these static creds instead of generating JWTs. You keep security but get the reliability you need for long-running services. Your operator config already supports this - just add the service user to your account JWT and switch your .NET connection to use credential auth instead of JWT generation.

honestly, just use nkeys for your backend service. way cleaner than user/pass combos and no token expiry headaches since nkeys are cryptographic keypairs. generate an nkey for your .net service, add it to your account config, and you’re done. connection stays secure and persistent without the jwt mess you’re dealing with.