Sign

Encode and sign a JSON Web Token (JWT).

The signature of a JWT is used to verify that the message hasn't changed when passed between services.

For tokens signed with a private key, the signature can also verify the sender of the JWT.

Input

Field Definition Type Required

key

The private key used to sign the JWT, so that a second party can then verify that the payload in the token is legitimate.

You can share private keys, but many algorithms can use the corresponding public key for decoding.

 Text FALSE

options

audience

Identifies the intended recipients for the JWT.

This is a case-sensitive text value that contains a string or a URI value.

Use of the audience claim (aud) is optional.

 Text FALSE

issuer

Identifies the issuer of the JWT.

This is a case-sensitive text value that contains a string or a URI value.

Use of the issuer claim (iss) is optional.

 Text FALSE

expiresIn

Identifies the amount of time in seconds after which the JWT shouldn't be accepted for processing.

Use of the expiresIn claim (exp) is optional.

 Number FALSE

jwtid

Provides a unique identifier for the JWT. You can use this identifier to prevent the JWT from being replayed.

This is a case-sensitive text value.

Use of the jwtid claim (jti) is optional.

 Text FALSE

noTimestamp

Indicates whether a time stamp should be added to the signature to indicate the time when the JWT was issued.

This field is optional.

The default value is False, meaning that time stamps are added.

 True/False FALSE

header

Signed tokens use a header known as the JOSE (JSON Object Signing and Encryption) header.

The header includes the algorithm (alg) used to process the data contained in the JWT and the type (typ) of the token, usually JWT. For example:

Copy 
{
    "typ":"JWT",
    "alg":"HS256"
}

This field is Base64-encoded before being added to the token.

 Text FALSE

notBefore

Specifies a time before which the JWT isn't accepted for processing.

This is the inverse of the expiresIn value.

The value is a number that contains a numeric date value (epoch).

Use of the notBefore claim (nbf) is optional.

 Number FALSE

subject

Identifies the subject of the JWT.

For example, if the token payload is information about an app user, you can use the subject field to pass a user ID.

The subject should be locally or globally unique.

This is a case-sensitive text value that contains a string or URI value.

Use of the subject claim (sub) is optional.

 Text FALSE

algorithm

Okta Workflows supports the following signature algorithms for JWT:

  • HS256
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512
  • PS265
  • PS384
  • PS512

HS256 is the default.

 Dropdown FALSE

payload

This field accepts any number of key and value pairs through extensible inputs.

To add a key and value pair to the payload, drag an output field from another card.

When Okta creates the token output, each of these pairs is added to a JSON object and Base64-encoded.

 Object FALSE

Output

Field Definition Type
token

The complete JSON Web Token (JWT), including the Base64-encoded header, and the payload and signature.

 Text

Related topics

Functions

Workflow elements