Sign
Encode and sign a JSON Web Token (JWT). The signature of a JWT is used to verify the message wasn't changed while being passed between two services. For tokens signed with a private key, the signature can also be used to verify the sender of the JWT.
Input
| Field | Definition | Type | Required |
|---|---|---|---|
| key | JWT tokens can be signed by a private key so that a second party can then verify that the payload in the token is legitimate. Private keys can be shared, but many algorithms can be decoded by a corresponding public key. | String | FALSE |
| options | |||
| audience | Identifies the recipients for which the JWT is intended. Value is a case-sensitive string containing a string or URI value. Use of the audience claim (aud) is optional. | String | FALSE |
| issuer | Identifies the issuer of the JWT. Value is a case-sensitive string containing a string or URI value. Use of the issuer claim (iss) is optional. | String | FALSE |
| expiresIn | Identifies the amount of time in seconds after which the JWT shouldn't be accepted for processing. Use of the expiresIn claim (exp) is optional. | Number | FALSE |
| jwtid | Provides a unique identifier for the JWT. It can be used to prevent the JWT from being replayed. Value is a case-sensitive string. Use of the jwtid claim (jti) is optional. | String | FALSE |
| noTimestamp | A boolean value that determines whether a timestamp should be added to the signature indicating the time at which the JWT was issued. Use of a timestamp is optional, but timestamps are added by default. | Boolean | FALSE |
| header | Signed tokens use a header known as the JOSE header (JSON Object Signing and Encryption). The header describes both the algorithm (alg) being used to process the data contained in the JWT and the type (typ) of token, usually JWT. This field is encrypted using Base64 encoding before being added to the token. Example:
Copy |
String | FALSE |
| notBefore | Specifies a time prior to which the JWT isn't accepted for processing. It's the inverse of the Expires In value. The value is a number containing a numeric date value (epoch). Use of the notBefore claim (nbf) is optional. | Number | FALSE |
| subject | Identifies the subject of the JWT. For example, if the payload of the token was information about an application user, the subject could be used to pass a user id. It should either be locally unique (as in the previous example) or be globally unique. Value is a case-sensitive string containing a string or URI value. Use of the subject claim (sub) is optional. | String | FALSE |
| algorithm |
Okta Workflows supports the following types of JWT encryption:
|
Dropdown | FALSE |
| payload | Accepts any number of key/value pairs through extensible inputs. To add a key/value pair to the payload, simply drag in an output from another card. As part of creating the token output, each of these pairs is added to a JSON object and encrypted using Base64 encoding. | Object | FALSE |
Output
| Field | Definition | Type |
|---|---|---|
| token | Complete JWT, including the Base64 encoded header and payload, in addition to the signature. | Object |