Creating a JSON web token

Most modern languages have JWT libraries available. We recommend you use one of
these libraries (or other JWT-compatible libraries) before trying to hand-craft the JWT token. Other JWT tools are publicly available, such as the JWT decoder, a handy web-based decoder for Atlassian Connect JWT tokens.

Language Library

Java

atlassian-jwt and jsontoken

Python

pyjwt

Node.js

node-jwt-simple

Ruby

ruby-jwt

PHP

firebase php-jwt and luciferous jwt

.NET

jwt

Haskell

haskell-jwt

Building a JWT

You must create the JWT that encapsulates your technical-account credentials. You will exchange this JWT for the API access token in the access request. Your JWT must contain the following claims:

Claim

Description

exp

Required. The expiration time, an absolute number of seconds since 1/1/1970 GMT. You must ensure that the expiration time is later than the time of issue. After this time, the JWT is no longer valid. An expiration period is typically one day.

iss

Required. The issuer, your organization ID in the format org_ident@AdobeOrg.

sub

Required. The subject, your API client account ID in the format: id@techacct.adobe.com.

aud

Required. The audience for the token, in the format: https://ims-na1.adobelogin.com/c/api_key.

configured claims

Required. The API-access claim configured for your organization: https://ims-na1.adobelogin.com/s/ent_marketing_sdk.

jti

Optional. A unique identifier for the token, if configured for your organization. If required, you must use a decimal number greater than any valued used before, in order to prevent replay attacks. Otherwise, the request fails. To ensure an acceptable value, you can use the current Unix time (seconds since 1970).

The following Python script shows how to create a JWT for a sample enterprise using the pyjwtlibrary and the variables we have defined for the required components of the JWT.

Set the expiration time for the JWT to one day from the current time. This is a typical and recommended validity period.

Copy
• # set expiry time for JSON Web Token • expiry_time = int(time.time()) + 60*60*24

Use the enterprise credentials and expiration value to create the JWT payload.

Copy
• # create payload • payload = { • "exp" : expiry_time, • "iss" : org_id, • "sub" : tech_acct, • "aud" : "https://" + ims_host + "/c/" + api_key, • "https://" + ims_host + "/s/" + "ent_marketing_sdk" : True • }

Get the private key we will use to sign the JWT.

Copy
• # read private key from file • priv_key_file = open(priv_key_filename) • priv_key = priv_key_file.read() • priv_key_file.close()

Create the JWT, signing it with the private key.

Copy
• # create JSON Web Token • jwt_token = jwt.encode(payload, priv_key, algorithm='RS256') • # decode bytes into string • jwt_token = jwt_token.decode("utf-8")

For debugging purposes, we print the result. In practice, you should never print or retain JWTs that you create.

Copy
• # print JSON Web Token • print("Your JSON Web Token is:") • print(jwt_token)

Sign and encode the JWT

The JWT must be signed and base-64 encoded for inclusion in the access request. The JWT
libraries provide functions to perform these tasks.

The token must be signed using the private key corresponding to a public-key certificate that is associated with your API key. You can associate more than one certificate with an API key. If you do so, you can use the private key of any associated certificate to sign your JWT.

Adobe supports RSASSA-PKCS1-V1_5 Digital Signatures with SHA-2. The JWS algorithm ("alg") parameter value can be RS256, RS384, or RS512.