Sign

Encode and sign a JSON Web Token.

The signature of a JWT is used to verify the message wasn't changed while being passed between two services. For tokens signed with a private key, the signature can also be used to verify the sender of the JWT.

Unless otherwise indicated, field types are text.

Required fields are indicated by a red asterisk.

Input

  • key: JWT tokens can be signed by private key so that a second party can subsequently verify that the payload in the token is legitimate; private keys can be shared, but many algorithms can be decoded by a corresponding public key.

  • options

    • audience: identifies the recipients for which the JWT is intended; the value is a case-sensitive string containing a string or URI value; use of the audience claim (aud) is optional.

    • issuer: identifies the issuer of the JWT; the value is a case-sensitive string containing a string or URI value; the use of the issuer claim (iss) is optional.

    • expiresIn(Number): identifies the expiration time after which the JWT should not be accepted for processing; the value is a number containing a numeric date value (epoch); the use of the expiresIn claim (exp) is optional.

    • jwtid: provides a unique identifier for the JWT; it can be used to prevent the JWT from being replayed; the value is a case-sensitive string; the use of the jwtid claim (jti) is optional.

    • noTimestamp(True/False): boolean value that determines whether a timestamp should be added to the signature indicating the time at which the JWT was issued; the use of a timestamp is optional, but timestamps are added by default.

    • header: signed tokens use a header known as the JOSE header (JSON Object Signing and Encryption); the header describes both the algorithm (alg) being used to process the data contained in the JWT and the type (typ) of token, usually JWT; the header is encrypted using Base64 encoding prior to being added to the token. Example:

      
      {  
      
          "typ":"JWT",   
      
          "alg":"HS256"  
      
      }
      
      
    • notBefore(Number): identifies the time before which the JWT MUST NOT be accepted for processing; it’s the inverse of the Expires In value; the value is a number containing a numeric date value (epoch); the use of the notBefore claim (nbf) is optional.

    • subject: identifies the subject of the JWT; for example, if the payload of the token was information about an application user, the subject could be used to pass a user id; it should either be locally unique (as in the previous example) or be globally unique; the value is a case-sensitive string containing a string or URI value; the use of the subject claim (sub) is optional.

    • algorithm(dropdown): Okta Workflows supports the following types of JWT encryption:

      • HS256 (default)

      • HS384

      • HS512

      • RS256

      • RS384

      • RS512

      • ES256

      • ES384

      • ES512

      • PS265

      • PS384

      • PS512

    • payload: accepts any number of key/value pairs through extensible inputs; to add a key/value pair to the payload, simply drag in an output from another card; as part of creating the token output, each of these pairs will be added to a JSON object and encrypted using Base64 encoding.

Output

  • token: complete JWT, including the Base64 encoded header and payload, in addition to the signature