JSON Web Token (JWT)


JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plain text of a JSON Web Encryption

(JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.


We suggest you spend some time learning more about JWT. While we can't include everything about JWT in to this document, we can surely point you where you can find more details about the same.


=>What JWT?

      http://jwt.io/introduction/


=>Json Web Token Standards

      http://tools.ietf.org/html/draft-ietf-oauthjson-web-token-25

      http://www.intridea.com/blog/2013/11/7/json-web-token-the-useful-little-standard-you-haven-t-heard-about


=>Anatomy of JWT

      https://scotch.io/tutorials/the-anatomy-of-a-jsonweb-token


=>Creating JSON Web Token in JavaScript

      http://www.jonathan-petitcolas.com/2014/11/27/creating-json-web-token-in-javascript.html


=>Online JWT Generation

     http://codepen.io/jpetitcolas/pen/zxGxKN

     http://jwtbuilder.jamiekurtz.com/


=>Libraries for JWT Generation

     http://jwt.io/#libraries-io


Important Notes about JWT implementation:


  • Plug-in currently supports HS256,HS384,HS512 methods for token encryption


  • JWT can be disabled for developing or debugging purposes by enabling Debug mode from configuration page.


  • In addition to JWT, always use Web Services on Secured Connection (HTTPS) to make it more secured.


  • All the Web Service requests should go to following URL, instead of its method URL. For example,


=>To make a non-secured request, this URL is used:

http://{YourDomainName}/Plugins/ XcellenceIt.Plugin.Misc.NopRestApi/ RemoteService/WebService.svc/GetOrderDetails


=>To make a secured request with JWT, use following URL:

http://{YourDomainName}/Plugins/ XcellenceIt.Plugin.Misc.NopRestApi/ RemoteService/WebService.svc/SecureApi



  • Note that there is only one parameter when you're making a secured request, i.e. Request Token (Security Token aka JWS-JSON Web Signature). Request Token is generated by JWT by combining Header + Pay Load + Signature. This is the request which is being made by Client Application using JWT,validated on server.


  • Make sure to include Application ID, API Key, exp (Expiration time of Token- Time Stamp) along with Pay load, and Signature encrypted using Secret Key. You can also include IAT (Issued AtTime) as per JWT standard. However, currently it is not used for validating requests.


  • For generating JWT request token refer Generating JWT Request Tokens