Sign
Encode and sign a JSON Web Token.
The signature of a JWT is used to verify the message wasn't changed while being passed between two services. For tokens signed with a private key, the signature can also be used to verify the sender of the JWT.
Unless otherwise indicated, field types are text.
Required fields are indicated by a red asterisk.
Input
-
key: JWT tokens can be signed by private key so that a second party can subsequently verify that the payload in the token is legitimate; private keys can be shared, but many algorithms can be decoded by a corresponding public key.
-
options
-
audience: identifies the recipients for which the JWT is intended; the value is a case-sensitive string containing a string or URI value; use of the audience claim (aud) is optional.
-
issuer: identifies the issuer of the JWT; the value is a case-sensitive string containing a string or URI value; the use of the issuer claim (iss) is optional.
-
expiresIn(Number): identifies the expiration time after which the JWT should not be accepted for processing; the value is a number containing a numeric date value (epoch); the use of the expiresIn claim (exp) is optional.
-
jwtid: provides a unique identifier for the JWT; it can be used to prevent the JWT from being replayed; the value is a case-sensitive string; the use of the jwtid claim (jti) is optional.
-
noTimestamp(True/False): boolean value that determines whether a timestamp should be added to the signature indicating the time at which the JWT was issued; the use of a timestamp is optional, but timestamps are added by default.
-
header: signed tokens use a header known as the JOSE header (JSON Object Signing and Encryption); the header describes both the algorithm (alg) being used to process the data contained in the JWT and the type (typ) of token, usually JWT; the header is encrypted using Base64 encoding prior to being added to the token. Example:
{ "typ":"JWT", "alg":"HS256" }
-
notBefore(Number): identifies the time before which the JWT MUST NOT be accepted for processing; it’s the inverse of the Expires In value; the value is a number containing a numeric date value (epoch); the use of the notBefore claim (nbf) is optional.
-
subject: identifies the subject of the JWT; for example, if the payload of the token was information about an application user, the subject could be used to pass a user id; it should either be locally unique (as in the previous example) or be globally unique; the value is a case-sensitive string containing a string or URI value; the use of the subject claim (sub) is optional.
-
algorithm(dropdown): Okta Workflows supports the following types of JWT encryption:
-
HS256 (default)
-
HS384
-
HS512
-
RS256
-
RS384
-
RS512
-
ES256
-
ES384
-
ES512
-
PS265
-
PS384
-
PS512
-
-
payload: accepts any number of key/value pairs through extensible inputs; to add a key/value pair to the payload, simply drag in an output from another card; as part of creating the token output, each of these pairs will be added to a JSON object and encrypted using Base64 encoding.
-
Output
- token: complete JWT, including the Base64 encoded header and payload, in addition to the signature