Hi, we have a customer request to validate request based on two different tokens, both tokens need to be valide to allow the requestion. Each token are provide in dedicated HTTP header. As I understand the best solution will be to use a

bearer_token

and a specific session store to validate both token. The `jwt`authenticator is not able to validate both token, right ?

This definitely not possible. I would however appreciate if you could give some insights. If there are two tokens, based on which one the identification of the user should happen? Maybe you could share also the purpose of each token.

Thanks for your answer, the purpose of the two tokens is not really clear … it’s the kind of corporate business requirement that’s kind of exotic for strange reasons 😉 Basically I have the

authorization

header: authentifies the original caller application and describes its permissions through the scope claim; then `x-caller-jwt`certifies that the request has been routed through an authorized gateway So the identification is based on the `authorization`header, but I should invalid the identification if the

x-caller-jwt

is not valid. I can create a slim micro service to do the validate of both token and send a 200 response in case of success, with the appropriate metadata, the question is how to integrate the micro service in Oathkeeper: @icy-manchester-83109 Any idea ?

stack oathkeeper instances?