JWT
The purpose of the JWT Step is to help to retrieve data from JWT token, validate JWT token or sign data to be used as JWT token.
This video demonstrates, how JWT token can be retrieved, validated and signed.
Parameters
Common
Target path- name of the node in thedoc, where contents of the JWT token will be stored.Token- JWT token to verify or encode
Retrieving
note
Please note that decoding of JWT token values does not verify if the token has valid signature. You may want to validate token, before actually using values encoded...
caution
Do not store secrets and private keys as workspace variable, recommended practice is to set them through server environment variables.
Mode- decode
Validating
Mode- verifyAlgorithm- validation methodHS265|RS256. Please refer to JWT spec to understand the differences. Consult party that have generated JWT token to understand, which algorithm has to be used to verify the token.Public key(RS256) - public key to validate the token. The best practice is to store the key as variable and reference by variable name here.Salt(HS256) - secret used to sign the token
note
Please note that when the token is not valid an error is thrown that then in next steps can be used to determine whether they should be executed. If you wish to stop execution of flow and return an error - we recommend using Catch step
Signing
Mode- signAlgorithm- validation methodHS265|RS256. Please refer to JWT spec and JWT Playground to understand the differences. The algorithm used should be present in the JWT header, otherwise consult with the signing party regarding the algorithm used.Private key(RS256) - private key to sign the token. The best practice is to store the key as environment variable and reference by variable name here.Salt(HS256) - secret to use when signing the tokenData- token payload in JSON formatExpires in- time in seconds for which the token should be valid
Examples
Variables used for RS256 examples:
RSA_PRIVATE_KEY
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAiHYUfiFmjfCcXYTZwNqIY3HjglgriqYCbR9lH6kHigk2dJTh
sFCpfnhjx/9ByzzZLpIPNdaDRhdS3XVIOk/W1ivrPW7wg7kzYgrVxyAGyZdAc89R
9eRbj180jLEKRKvyzRAPCcNmtQRdO7WQth4v67aurES0iIglTzj36r7etKaUPEZK
7ETMU2/H8TiODthvHkjKRvQaoFkZOTdL6DMTka+DBcdIx23WG8ibiSTYgpcDMgKF
sS+sWXEvExkIJHOD9u2gOX33Zh8a19S4nCa1FbZK/sLEw77bHyy5ePqDX5oZ+D3A
k5Ir5G0sgjkdjiJ1bFA1pSz0HzDziK12XDTGkQIDAQABAoIBADfbbaP7dAkhtj+p
g6CnUzCxi5jtElWcgl28fh4piEZ+YuXxkzgirF5yVRWmbH4OmC+x5bv55J4qKecw
fLIxwBTGwXHSGW0xv9Cf8sWhXGXkHaPJ9xiZssjLBa2ZQkS9xZMewakTbNUnxioM
tgF19dOcYX9uWB+S6wK0pPZXzr1O3i5IryxFUSpzKn9ijcWXk4jFnoqEcXASXUK+
64aEGSqsKMVuLDuU14hF/zM7MF2G1mIGIkJSMgT58Azo25SNTdJsQrkoo0CawpNb
H4oqiLH6jgiOh93lQ+JuOSVwbvz4r3ljFQrXpfwOY2pc1g5u7RzzdFhNPeflnBrF
4M8tJmkCgYEA5PEtWqWth1hWqUeRbHOLPNZJaX203VqF1XgjE/+N1rzdZujbRXoB
Ot4R1TsuExOGrIUOVDcC0RzJxo5WJr2cksYpV6n86zNYt6kZKfeQ6aUD4HSHmqMl
rDmpwWQ5YXRXQLiQGsLck7vZpSyNMbulJ7rNaO7z2P27Ncs1l/MCDT8CgYEAmJbS
f1qlQ8y8M0UxgzX6+4BPKfhNudxqVh+XR3M7cnmAN56oxrnXYblz5wZ214U/00eV
Wjiv2/N1rfbeF6ZPo2Ev4RAchJmNgABRhrDbUQ5fi3jDFzppLyDjEifdDRoVBNwG
c1pLH/8A5XC7qcDrxwFECFuWePcriPHXHJodqC8CgYEAqYN9zmlv9A/PkuV/4qom
xXPwxWAjY+Zbw/SBHJSS5BXRZRozCN1OPdUhpR19fvhtNh4KvwZAWq8TI6ZOWb75
SJ/bCqK9tzS8krhs/mrk7GqXVUFTCoeUJFJJw/y+k879r9k4MehoRCbJ/wfev50t
qx4ga3rKKLeuPyVoWErBEScCgYAzU8B44GfpF4xS/rp59YV4Zh+68XBLzc3jLHs5
qJRdnGs5yl/hgQ/nKnfHRZBiTMs8ab7ee2UEaq+yFfF9KQ9u2Lk/TqkZHYHQhcrm
sMUFTf1rr/KH9Lj/BmP7bndX+ecKHGz7Dmto1uFZTIODxYZKCa311cEW7aWySg9e
6qSBNwKBgQC2YJ515t/tiIwl/w2IO43ucit1k7KN24IzHwaqbW+itwHlYKe0DlU0
qIM/hfgvp8UchAsF4C6ektbI7j8Uw0iFOMHOKYqCJiSGiB08PNwNlvPD0i/rYagE
oQBwx2Cuq6S4/Cj2ldWgRqc/c2HHW7z9VVsKFH90PYAkJ6lBwuR9/g==
-----END RSA PRIVATE KEY-----
RSA_PUBLIC_KEY
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiHYUfiFmjfCcXYTZwNqI
Y3HjglgriqYCbR9lH6kHigk2dJThsFCpfnhjx/9ByzzZLpIPNdaDRhdS3XVIOk/W
1ivrPW7wg7kzYgrVxyAGyZdAc89R9eRbj180jLEKRKvyzRAPCcNmtQRdO7WQth4v
67aurES0iIglTzj36r7etKaUPEZK7ETMU2/H8TiODthvHkjKRvQaoFkZOTdL6DMT
ka+DBcdIx23WG8ibiSTYgpcDMgKFsS+sWXEvExkIJHOD9u2gOX33Zh8a19S4nCa1
FbZK/sLEw77bHyy5ePqDX5oZ+D3Ak5Ir5G0sgjkdjiJ1bFA1pSz0HzDziK12XDTG
kQIDAQAB
-----END PUBLIC KEY-----
Encode (HS256)
Input doc:
{
"secret": "token-password",
"data": {
"userId": 123,
"role": "admin"
}
}
Step configuration:
- name: Step jwt
config:
mode: sign
algorithm: HS256
storeIn: .
targetPath: token
json: "{{data}}"
expiresIn: 10y
secret: "{{secret}}"
stepType: jwt
Output doc:
{
"secret": "token-password",
"data": {
"userId": 123,
"role": "admin"
},
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgyNDk3MjIyLCJleHAiOjE5OTgwNzMyMjJ9.bzPFWxzaZ_KSr20FTT0rZUjpPktcNb4-upjktH8Mxw8"
}
Encode (RS256)
Input doc:
{
"data": {
"userId": 123,
"role": "admin"
}
}
Step configuration:
- name: Step jwt
config:
mode: sign
algorithm: RS256
json: "{{data}}"
storeIn: .
targetPath: token
expiresIn: 10y
secret: "{{$env.RSA_PRIVATE_KEY}}"
stepType: jwt
Output doc:
{
"data": {
"userId": 123,
"role": "admin"
},
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgyNDk3NTU4LCJleHAiOjE5OTgwNzM1NTh9.aryIaNH39DtSvF6ZoajHdntsXkhj5jJJDUzd--QWRsheU2U2rnoDx0zVA_FXcZ2ueEpCqQP6kyVPSuwDTXJjp7OzGjfrJVlM4tj1d00ZCkuHqj_sOSj4UlX5AXX7lGLLru7TG6GvnOkl3OBGpD6e6a0Zz1dZPfv6KoX8HfI-2VPdMFKHmixtj4idG2uoR0oax4zZvRsvUyKTZ8rYQWB3mfb-HYRHqQ9Mz292pAwKgscRk_c8U-T2fmY_rHzf9cwftNxPCX6ieAtouLz8kdeazA_kw31ru6VPD3_HdsXkkI2fraNMTw2GyJnjl6SqIGuN6jbYIy5FMKVHZGnHM2wjIw"
}
Verify (HS256)
Input doc:
{
"secret": "token-password",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgyNDk3MjIyLCJleHAiOjE5OTgwNzMyMjJ9.bzPFWxzaZ_KSr20FTT0rZUjpPktcNb4-upjktH8Mxw8"
}
Step configuration:
- name: Step jwt
config:
mode: verify
algorithm: HS256
targetPath: data
token: "{{token}}"
secret: "{{secret}}"
stepType: jwt
Output doc:
{
"secret": "token-password",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgyNDk3MjIyLCJleHAiOjE5OTgwNzMyMjJ9.bzPFWxzaZ_KSr20FTT0rZUjpPktcNb4-upjktH8Mxw8",
"data": {
"userId": 123,
"role": "admin",
"iat": 1682497222,
"exp": 1998073222
}
}
Verify (RS256)
Input doc:
{
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgyNDk3NTU4LCJleHAiOjE5OTgwNzM1NTh9.aryIaNH39DtSvF6ZoajHdntsXkhj5jJJDUzd--QWRsheU2U2rnoDx0zVA_FXcZ2ueEpCqQP6kyVPSuwDTXJjp7OzGjfrJVlM4tj1d00ZCkuHqj_sOSj4UlX5AXX7lGLLru7TG6GvnOkl3OBGpD6e6a0Zz1dZPfv6KoX8HfI-2VPdMFKHmixtj4idG2uoR0oax4zZvRsvUyKTZ8rYQWB3mfb-HYRHqQ9Mz292pAwKgscRk_c8U-T2fmY_rHzf9cwftNxPCX6ieAtouLz8kdeazA_kw31ru6VPD3_HdsXkkI2fraNMTw2GyJnjl6SqIGuN6jbYIy5FMKVHZGnHM2wjIw"
}
Step configuration:
- name: Step jwt
config:
mode: verify
algorithm: RS256
targetPath: data
secret: "{{$env.RSA_PUBLIC_KEY}}"
token: "{{token}}"
stepType: jwt
Output doc:
{
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgyNDk3NTU4LCJleHAiOjE5OTgwNzM1NTh9.aryIaNH39DtSvF6ZoajHdntsXkhj5jJJDUzd--QWRsheU2U2rnoDx0zVA_FXcZ2ueEpCqQP6kyVPSuwDTXJjp7OzGjfrJVlM4tj1d00ZCkuHqj_sOSj4UlX5AXX7lGLLru7TG6GvnOkl3OBGpD6e6a0Zz1dZPfv6KoX8HfI-2VPdMFKHmixtj4idG2uoR0oax4zZvRsvUyKTZ8rYQWB3mfb-HYRHqQ9Mz292pAwKgscRk_c8U-T2fmY_rHzf9cwftNxPCX6ieAtouLz8kdeazA_kw31ru6VPD3_HdsXkkI2fraNMTw2GyJnjl6SqIGuN6jbYIy5FMKVHZGnHM2wjIw",
"data": {
"userId": 123,
"role": "admin",
"iat": 1682497558,
"exp": 1998073558
}
}
Decode
Input doc:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgyNDk3MjIyLCJleHAiOjE5OTgwNzMyMjJ9.bzPFWxzaZ_KSr20FTT0rZUjpPktcNb4-upjktH8Mxw8"
}
Step configuration:
- name: Step jwt
config:
mode: decode
targetPath: data
token: "{{token}}"
stepType: jwt
Output doc:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgyNDk3MjIyLCJleHAiOjE5OTgwNzMyMjJ9.bzPFWxzaZ_KSr20FTT0rZUjpPktcNb4-upjktH8Mxw8",
"data": {
"userId": 123,
"role": "admin",
"iat": 1682497222,
"exp": 1998073222
}
}