# Reference for the teleport\_app\_auth\_config Terraform resource

This page describes the supported values of the teleport\_app\_auth\_config resource of the Teleport Terraform provider.

## Example Usage

```
resource "teleport_app_auth_config" "example" {
  version = "v1"
  metadata = {
    name        = "example"
    description = "Example app auth config"
    labels = {
      example               = "yes"
      "teleport.dev/origin" = "dynamic"
    }
  }

  spec = {
    app_labels = [{
      name   = "teleport.internal/app-sub-kind"
      values = ["mcp"]
    }]
    jwt = {
      issuer   = "https://issuer"
      audience = "teleport"
      jwks_url = "https://issuer/.well-known/jwks.json"
    }
  }
}

```

## Schema

### Required

- `metadata` (Attributes) Metadata is the app auth config resource's metadata. (see [below for nested schema](#nested-schema-for-metadata))
- `spec` (Attributes) Spec is the app auth config specification. (see [below for nested schema](#nested-schema-for-spec))
- `version` (String) Version is the app auth config resource version.

### Optional

- `sub_kind` (String) SubKind is the app auth config subkind.

### Nested Schema for `metadata`

Required:

- `name` (String) name is an object name.

Optional:

- `description` (String) description is object description.
- `expires` (String) expires is a global expiry time header can be set on any resource in the system.
- `labels` (Map of String) labels is a set of labels.

### Nested Schema for `spec`

Optional:

- `app_labels` (Attributes List) AppLabels is used to define the app\_labels matcher, which selects applications that can use this authentication conifg. An empty value means no application will use it. (see [below for nested schema](#nested-schema-for-specapp_labels))
- `jwt` (Attributes) Jwt is the JWT authentication config spec. (see [below for nested schema](#nested-schema-for-specjwt))

### Nested Schema for `spec.app_labels`

Optional:

- `name` (String) The name of the label.
- `values` (List of String) The values associated with the label.

### Nested Schema for `spec.jwt`

Optional:

- `audience` (String) Audience is the expected token audience. It will usually be a OAuth client\_id issued for Teleport use.
- `issuer` (String) Issuer is the JWT token issuer name. This value is used to verify the token.
- `jwks_url` (String) JwksUrl is the JSON Web Key Set (JWKS) URL used to fetch signing keys.
- `static_jwks` (String) StaticJwks is the JSON Web Key Set (JWKS) formatted public keys of the token issuer in JSON format.
- `username_claim` (String) UsernameClaim specifies which token claim name's value will be used as the username. Defaults to `email`.