Applies to ReadyAPI 3.0, last modified on November 15, 2019

A JSON Web Token (JWT) is encoded JSON data that contains a number of claims. In ReadyAPI, you can send JWT assertions to the authorization server to identify a client. You can send a JWT assertion when obtaining an access token by using the JWT Profile for Authorization Grants. Also, you can include a JWT assertion when using the Authorization Code, Resource Owner Password Credentials or Client Credentials grant. This topic describes how to generate a JSON Web Token in ReadyAPI.

Note: Assertion in this case is a term used in OAuth 2.0. Do not confuse it with assertions you use in ReadyAPI to verify responses and requests.

To generate a JSON Web Token, click the Generate JWT button when configuring a request for an access token. If you use the Authorization Code, Resource Owner Password Credentials or Client Credentials grant, you need to select Apply Client JWT Assertion first:

Generate JSON Web Token

Click the image to enlarge it.

Generate JSON Web Token Dialog

In the Generate JSON Web Token dialog, you specify how to encode the JSON Web Token and configure the content of the token.

Create JSON Web Token

Click the image to enlarge it.

Option Description
Sign Algorithm The algorithm used to encode and sign the JWT. It is possible to use the RS256 or HS256 algorithm. In order not to use the encoding algorithm, select None.
Keystore Keystore that is used for generating tokens. To add the needed keystore, use the Keystores tab of the WS-Security configuration dialog.
Alias The alias to use when generating a token.
Alias password The password used along with the alias.
JWT Header The header part of the JSON Web Token. Using the property toolbar, you can add, remove and sort properties, load and save property values or clear them.

The header part contains information on how the JWT is encrypted. Usually, it consists of two elements:

  • alg - the used encoding algorithm.

  • typ - the type of the generated token. In most cases, it is JWT.

Also, the header may contain additional elements.

JWT Payload The payload part of the JSON Web Token. This part contains the claim that will be included in the JWT.

The JWT payload contains a number of claims that you send to the authorization server within the generated JWT. The list below contains some of the possible claims:

  • iss - specifies the issuer who issued the JWT.

  • sub - specifies the subject of the JWT.

  • aud - specifies the audience for which the JWT is intended.

  • exp - the date when the JWT will expire.

  • nbf - the date before which the JWT is invalid.

  • iat - the time when the JWT was issued.

  • jti - the unique identifier of the JWT.

See Also

Automating Token Retrieval
OAuth 2.0 Grant Types
OAuth 2.0 and OAuth 2.0 (Azure)

Highlight search results