JSON Web Token (JWT)
(JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.
We suggest you spend some time learning more about JWT. While we can't include everything about JWT in to this document, we can surely point you where you can find more details about the same.
=>Json Web Token Standards
=>Anatomy of JWT
=>Online JWT Generation
=>Libraries for JWT Generation
Important Notes about JWT implementation:
- Plug-in currently supports HS256,HS384,HS512 methods for token encryption
- JWT can be disabled for developing or debugging purposes by enabling Debug mode from configuration page.
- In addition to JWT, always use Web Services on Secured Connection (HTTPS) to make it more secured.
- All the Web Service requests should go to following URL, instead of its method URL. For example,
=>To make a non-secured request, this URL is used:
=>To make a secured request with JWT, use following URL:
- Note that there is only one parameter when you're making a secured request, i.e. Request Token (Security Token aka JWS-JSON Web Signature). Request Token is generated by JWT by combining Header + Pay Load + Signature. This is the request which is being made by Client Application using JWT,validated on server.
- Make sure to include Application ID, API Key, exp (Expiration time of Token- Time Stamp) along with Pay load, and Signature encrypted using Secret Key. You can also include IAT (Issued AtTime) as per JWT standard. However, currently it is not used for validating requests.
- For generating JWT request token refer Generating JWT Request Tokens