Encode and sign a JSON Web Token (JWT). The signature of a JWT is used to verify the message wasn't changed while being passed between two services. For tokens signed with a private key, the signature can also be used to verify the sender of the JWT.


Field Definition Type Required
key JWT tokens can be signed by a private key so that a second party can then verify that the payload in the token is legitimate. Private keys can be shared, but many algorithms can be decoded by a corresponding public key. String FALSE
audience Identifies the recipients for which the JWT is intended. Value is a case-sensitive string containing a string or URI value. Use of the audience claim (aud) is optional. String FALSE
issuer Identifies the issuer of the JWT. Value is a case-sensitive string containing a string or URI value. Use of the issuer claim (iss) is optional. String FALSE
expiresIn Identifies the amount of time in seconds after which the JWT shouldn't be accepted for processing. Use of the expiresIn claim (exp) is optional. Number FALSE
jwtid Provides a unique identifier for the JWT. It can be used to prevent the JWT from being replayed. Value is a case-sensitive string. Use of the jwtid claim (jti) is optional. String FALSE
noTimestamp A boolean value that determines whether a timestamp should be added to the signature indicating the time at which the JWT was issued. Use of a timestamp is optional, but timestamps are added by default. Boolean FALSE
header Signed tokens use a header known as the JOSE header (JSON Object Signing and Encryption). The header describes both the algorithm (alg) being used to process the data contained in the JWT and the type (typ) of token, usually JWT. This field is encrypted using Base64 encoding before being added to the token. Example:
String FALSE
notBefore Specifies a time prior to which the JWT isn't accepted for processing. It's the inverse of the Expires In value. The value is a number containing a numeric date value (epoch). Use of the notBefore claim (nbf) is optional. Number FALSE
subject Identifies the subject of the JWT. For example, if the payload of the token was information about an application user, the subject could be used to pass a user id. It should either be locally unique (as in the previous example) or be globally unique. Value is a case-sensitive string containing a string or URI value. Use of the subject claim (sub) is optional. String FALSE
algorithm Okta Workflows supports the following types of JWT encryption:
  • HS256 (default)
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512
  • PS265
  • PS384
  • PS512
Dropdown FALSE
payload Accepts any number of key/value pairs through extensible inputs. To add a key/value pair to the payload, simply drag in an output from another card. As part of creating the token output, each of these pairs is added to a JSON object and encrypted using Base64 encoding. Object FALSE


Field Definition Type
token Complete JWT, including the Base64 encoded header and payload, in addition to the signature. Object

Related topics


Workflow elements