Sign

key

The private key used to sign the JWT, so that a second party can then verify that the payload in the token is legitimate.

You can share private keys, but many algorithms can use the corresponding public key for decoding.

options

audience

issuer

expiresIn

Identifies the amount of time in seconds after which the JWT shouldn't be accepted for processing.

Use of the expiresIn claim (exp) is optional.

jwtid

Provides a unique identifier for the JWT. You can use this identifier to prevent the JWT from being replayed.

This is a case-sensitive text value.

Use of the jwtid claim (jti) is optional.

noTimestamp

Indicates whether a time stamp should be added to the signature to indicate the time when the JWT was issued.

This field is optional.

The default value is False, meaning that time stamps are added.

header

Signed tokens use a header known as the JOSE (JSON Object Signing and Encryption) header.

The header includes the algorithm (alg) used to process the data contained in the JWT and the type (typ) of the token, usually JWT. For example:

{
	"typ":"JWT",
	"alg":"HS256"
}

This field is Base64-encoded before being added to the token.

notBefore

Specifies a time before which the JWT isn't accepted for processing.

This is the inverse of the expiresIn value.

The value is a number that contains a numeric date value (epoch).

Use of the notBefore claim (nbf) is optional.

subject

algorithm

payload

This field accepts any number of key and value pairs through extensible inputs.

To add a key and value pair to the payload, drag an output field from another card.

When Okta creates the token output, each of these pairs is added to a JSON object and Base64-encoded.

The complete JSON Web Token (JWT), including the Base64-encoded header, and the payload and signature.