Encode and sign a JSON Web Token. The signature of a JWT is used to verify the message wasn't changed while being passed between two services. For tokens signed with a private key, the signature can also be used to verify the sender of the JWT.


Field Definition Type Required
key JWT tokens can be signed by private key so that a second party can subsequently verify that the payload in the token is legitimate. private keys can be shared, but many algorithms can be decoded by a corresponding public key. String FALSE
audience Identifies the recipients for which the JWT is intended. Value is a case-sensitive string containing a string or URI value. Use of the audience claim (aud) is optional. String FALSE
issuer Identifies the issuer of the JWT. Value is a case-sensitive string containing a string or URI value. Use of the issuer claim (iss) is optional. String FALSE
expiresIn Identifies the amount of time after which the JWT should not be accepted for processing. Value is a number of seconds. Use of the expiresIn claim (exp) is optional. Number FALSE
jwtid Provides a unique identifier for the JWT. It can be used to prevent the JWT from being replayed. Value is a case-sensitive string. Use of the jwtid claim (jti) is optional. String FALSE
noTimestamp Boolean value that determines whether a timestamp should be added to the signature indicating the time at which the JWT was issued. Use of a timestamp is optional, but timestamps are added by default. Boolean FALSE
header Signed tokens use a header known as the JOSE header (JSON Object Signing and Encryption). Header describes both the algorithm (alg) being used to process the data contained in the JWT and the type (typ) of token, usually JWT. Header is encrypted using Base64 encoding prior to being added to the token. Example:

notBefore Identifies the time before which the JWT MUST NOT be accepted for processing. It's the inverse of the Expires In value. Value is a number containing a numeric date value (epoch). Use of the notBefore claim (nbf) is optional.    
subject Identifies the subject of the JWT. For example, if the payload of the token was information about an application user, the subject could be used to pass a user id. It should either be locally unique (as in the previous example) or be globally unique. Value is a case-sensitive string containing a string or URI value. Use of the subject claim (sub) is optional.    
algorithm Okta Workflows supports the following types of JWT encryption:
  • HS256 (default)

  • HS384

  • HS512

  • RS256

  • RS384

  • RS512

  • ES256

  • ES384

  • ES512

  • PS265

  • PS384

  • PS512

Dropdown FALSE
payload Accepts any number of key/value pairs through extensible inputs. To add a key/value pair to the payload, simply drag in an output from another card. As part of creating the token output, each of these pairs will be added to a JSON object and encrypted using Base64 encoding. Object FALSE


Field Definition Type
token Complete JWT, including the Base64 encoded header and payload, in addition to the signature. Object

Related topics

Functions in Workflows

About the elements of Okta Workflows