Page tree
Skip to end of metadata
Go to start of metadata

N.B.: Using this node requires the WSF license option.

This node generates a JSON Web Token (JWT) that can then be used by workflow. A JWT is composed by 2 or 3 parts depends of if it is signed or not.

  • Part 1: header
header = '{"alg":"HS256","typ":"JWT"}'
  • Part 2: payload
payload = '{"loggedInAs":"admin","iat":1422779638}'
  • Part 3: signature
key           = 'secretkey'
unsignedToken = encodeBase64(header) + '.' + encodeBase64(payload)
signature     = HMAC-SHA256(key, unsignedToken)



  • Display name the name of the node as it will appear in the Workflow. Replaces the term “JWT Generate”.
  • JSON attribute payload : JSON attribute containing the payload to use in the JWT.

  • JWT attribute name : attribute name of type String that will be provided by the node and that will contain JWT.

Registered Claims

"Registered Claims" are reserved attributes defined by JWT specification (RFC7519#section-4.1). These attributes are not mandatories in this specification.

  • Issuer : "iss". The principal that issued the JWT.
  • Subject : "sub". The principal that is the subject of the JWT.
  • Audience(s) : "aud". The recipients that the JWT is intended for. The audience is a string if there is only one recipient (Service 1), or an array if there are more than one recipient (["Service1", "Service 2"]).
  • Expiration Time : "exp". The expiration time (in seconds) on or after which the JWT must not be accepted for processing. ex: 1300819380 or ${calc(calc(time(), '/', '1000000'),'+','120')}
  • Not Before : "nbf". The time (in seconds) before which the JWT must not be accepted for processing. ex: 1300819380 or ${calc(calc(time(), '/', '1000000'),'-','60')}
  • Issued At : "iat". The time (in seconds) at which the JWT was issued. ex: 1300819380 or ${calc(time(), '/', '1000000')}
  • JWT ID : "jti". A unique identifier for the JWT. Can be used to prevent the JWT from being replayed. It is a case-sensitive string.

These claims will override claims founded in JSON Payload.


It is possible to sign JWT specifying an algoritm and a key from the Keystore.

  • Algorithm : signature algorithms defined by specification RFC7518

    • none (No digital signature or MAC performed) : the generated token will not be signed and will be formed like this: Base64_URL_encode(header) . Base64_URL_encode(payload)

    • HS256 (HMAC using SHA-256)

    • HS384 (HMAC using SHA-384)

    • HS512 (HMAC using SHA-512)
    • RS256 (RSASSA-PKCS1-v1_5 using SHA-256)
    • RS384 (RSASSA-PKCS1-v1_5 using SHA-384)
    • RS512 (RSASSA-PKCS1-v1_5 using SHA-512)
  • Keystore : profile containing the key to use. See Keystores.
  • Key Name : name of the key used to sign. For HMAC algorithms (HS*) , key's type must be "passphrase". For RSA algorithms (RS*), key's type must be "private".

Required attributes

This node requires no attributes.

Provided attributes

This node provides a String attribute that contains the generated JWT.

This node also provides "jwt.generate.failure" and "jwt.generate.err_message" attributes. The "jwt.generate.failure" attribute (Boolean) will be set to "true" if a processing error occurs. The "jwt.generate.err_message" attribute will then be filled in to provide a message about the error that was raised.

When a processing error occurs, the provided JWT attribute will be empty.