Adobe  I/O JWT for Java Apps

Creating a JWT for a Java App

This example illustrates how to create a JSON Web Token for a Java-language application, using the library io.jsonwebtoken.jjwt. The library is available from

Encode Private Key

The private key from your signing certificate must be DER-encoded before using it to sign the JWT. The following commands create a self-signed certificate, and encode the resulting private key for use with the example:

# create the certificate and private key using openssl
$ openssl req -nodes -text -x509 -newkey rsa:2048 -keyout secret.pem -out certificate.pem -days 356

# convert private key to DER format
$ openssl pkcs8 -topk8 -inform PEM -outform DER -in secret.pem  -nocrypt > secret.key

Create JWT

 * Copyright 2016 Adobe Systems Incorporated
 * All Rights Reserved.

import io.jsonwebtoken.Jwts;

import java.nio.file.*;
import java.util.*;

import static io.jsonwebtoken.SignatureAlgorithm.RS256;
import static java.lang.Boolean.TRUE;

public class SampleJwtTest {

    public static void main(String[] args)
            throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {

        // Sample JWT creation. The example uses SHA256withRSA signature algorithm.

        // API key information (substitute actual credential values)
        String orgId = "048ABCD8562023457F000101@AdobeOrg";
        String technicalAccountId = "";
        String apiKey = "ec9a2091e2c64f0492c612344700abcd";

        // Expiration time in seconds
        Long expirationTime = 86400L;

        // Metascopes associated to key
        String metascopes[] = new String[]{"ent_marketing_sdk"};

        // Secret key as byte array. Secret key file should be in DER encoded format.
        byte[] privateKeyFileContent = Files.readAllBytes(Paths.get("/path/to/secret/key"));

        String imsHost = "";

        // Create the private key
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        KeySpec ks = new PKCS8EncodedKeySpec(privateKeyFileContent);
        RSAPrivateKey privateKey = (RSAPrivateKey) keyFactory.generatePrivate(ks);

        // Create JWT payload
        Map jwtClaims = new HashMap<>();
        jwtClaims.put("iss", orgId);
        jwtClaims.put("sub", technicalAccountId);
        jwtClaims.put("exp", expirationTime);
        jwtClaims.put("aud", "https://" + imsHost + "/c/" + apiKey);
        for (String metascope : metascopes) {
            jwtClaims.put("https://" + imsHost + "/s/" + metascope, TRUE);

        // Create the final JWT token
        String jwtToken = Jwts.builder().setClaims(jwtClaims).signWith(RS256, privateKey).compact();