Encode and sign a JSON Web Token. The signature of a JWT is used to verify the message wasn't changed while being passed between two services. For tokens signed with a private key, the signature can also be used to verify the sender of the JWT.
Input
Field
Definition
Type
Required
key
JWT tokens can be signed by private key so that a second party can subsequently verify that the payload in the token is legitimate. private keys can be shared, but many algorithms can be decoded by a corresponding public key.
String
FALSE
options
audience
Identifies the recipients for which the JWT is intended. Value is a case-sensitive string containing a string or URI value. Use of the audience claim (aud) is optional.
String
FALSE
issuer
Identifies the issuer of the JWT. Value is a case-sensitive string containing a string or URI value. Use of the issuer claim (iss) is optional.
String
FALSE
expiresIn
Identifies the amount of time after which the JWT should not be accepted for processing. Value is a number of seconds. Use of the expiresIn claim (exp) is optional.
Number
FALSE
jwtid
Provides a unique identifier for the JWT. It can be used to prevent the JWT from being replayed. Value is a case-sensitive string. Use of the jwtid claim (jti) is optional.
String
FALSE
noTimestamp
Boolean value that determines whether a timestamp should be added to the signature indicating the time at which the JWT was issued. Use of a timestamp is optional, but timestamps are added by default.
Boolean
FALSE
header
Signed tokens use a header known as the JOSE header (JSON Object Signing and Encryption). Header describes both the algorithm (alg) being used to process the data contained in the JWT and the type (typ) of token, usually JWT. Header is encrypted using Base64 encoding prior to being added to the token. Example:
{
"typ":"JWT",
"alg":"HS256"
}
notBefore
Identifies the time before which the JWT MUST NOT be accepted for processing. It's the inverse of the Expires In value. Value is a number containing a numeric date value (epoch). Use of the notBefore claim (nbf) is optional.
subject
Identifies the subject of the JWT. For example, if the payload of the token was information about an application user, the subject could be used to pass a user id. It should either be locally unique (as in the previous example) or be globally unique. Value is a case-sensitive string containing a string or URI value. Use of the subject claim (sub) is optional.
algorithm
Okta Workflows supports the following types of JWT encryption:
HS256 (default)
HS384
HS512
RS256
RS384
RS512
ES256
ES384
ES512
PS265
PS384
PS512
Dropdown
FALSE
payload
Accepts any number of key/value pairs through extensible inputs. To add a key/value pair to the payload, simply drag in an output from another card. As part of creating the token output, each of these pairs will be added to a JSON object and encrypted using Base64 encoding.
Object
FALSE
Output
Field
Definition
Type
token
Complete JWT, including the Base64 encoded header and payload, in addition to the signature.