Sign
Encode and sign a JSON Web Token (JWT).
The signature of a JWT is used to verify that the message hasn't changed when passed between services.
For tokens signed with a private key, the signature can also verify the sender of the JWT.
Input
| Field | Definition | Type | Required |
|---|---|---|---|
|
key |
The private key used to sign the JWT, so that a second party can then verify that the payload in the token is legitimate. You can share private keys, but many algorithms can use the corresponding public key for decoding. |
Text |
FALSE |
|
options |
|||
|
audience |
Identifies the intended recipients for the JWT. This is a case-sensitive text value that contains a string or a URI value. Use of the audience claim (aud) is optional. |
Text |
FALSE |
|
issuer |
Identifies the issuer of the JWT. This is a case-sensitive text value that contains a string or a URI value. Use of the issuer claim (iss) is optional. |
Text |
FALSE |
|
expiresIn |
Identifies the amount of time in seconds after which the JWT shouldn't be accepted for processing. Use of the expiresIn claim (exp) is optional. |
Number |
FALSE |
|
jwtid |
Provides a unique identifier for the JWT. You can use this identifier to prevent the JWT from being replayed. This is a case-sensitive text value. Use of the jwtid claim (jti) is optional. |
Text |
FALSE |
|
noTimestamp |
Indicates whether a time stamp should be added to the signature to indicate the time when the JWT was issued. This field is optional. The default value is False, meaning that time stamps are added. |
True/False |
FALSE |
|
header |
Signed tokens use a header known as the JOSE (JSON Object Signing and Encryption) header. The header includes the algorithm (alg) used to process the data contained in the JWT and the type (typ) of the token, usually JWT. For example: Copy
This field is Base64-encoded before being added to the token. |
Text |
FALSE |
|
notBefore |
Specifies a time before which the JWT isn't accepted for processing. This is the inverse of the expiresIn value. The value is a number that contains a numeric date value (epoch). Use of the notBefore claim (nbf) is optional. |
Number |
FALSE |
|
subject |
Identifies the subject of the JWT. For example, if the token payload is information about an app user, you can use the subject field to pass a user ID. The subject should be locally or globally unique. This is a case-sensitive text value that contains a string or URI value. Use of the subject claim (sub) is optional. |
Text |
FALSE |
|
algorithm |
Okta Workflows supports the following signature algorithms for JWT:
HS256 is the default. |
Dropdown |
FALSE |
|
payload |
This field accepts any number of key and value pairs through extensible inputs. To add a key and value pair to the payload, drag an output field from another card. When Okta creates the token output, each of these pairs is added to a JSON object and Base64-encoded. |
Object |
FALSE |
Output
| Field | Definition | Type |
|---|---|---|
| token |
The complete JSON Web Token (JWT), including the Base64-encoded header, and the payload and signature. |
Text |