Json Web Token policy generates a signed JSON Web token with a provided set of claims and header.


The properties that have to be configured to use the policy are described below.

Figure 1: Json Web Token policy configuration attributes



Specifies the encryption/signed algorithm to encrypt/sign.

Provide HS256 or RS256 or ES256 as input to be used to generate a token.

  • For HS256, Secret Key has to be provided.
  • For RS256 and ES256, Key ID has to be provided.

Key ID

The Key ID value corresponding to the algorithm chosen, as provided in the JSON web keys.


The JSON Private Keys can be provided in the following ways:

  1. The Key ID and other parameters of each algorithm can be grouped into a JSON as given in the sample below:

    These JSON web keys (JWK) have to be fed into the Context Variable named "JsonWebKeys" using the Assign Variables policy.


    For the JWK structure as in the sample above, refer to the link:

  2. If the JSON Web keys have to be fetched from a File Store, a Callout policy can be used.

  3. If the JSON Web keys are exposed in an HTTPS URL (Eg:, a Service Call Out policy can be used and the response can be assigned to Context Variables using Assign Variables policy to fetch the keys.


Subject of the JWT issued.

This property is optional.


The "iss" (issuer) claim identifies the entity that issues the JWT.

This property is optional.


Recipient value. The audience value is comprised of comma separated strings.

This property is optional.

Time to be expired

The time the token has to be expired.


The message that needs to be displayed.

This property is optional.

Additional Claim

To provide custom claims other than the above properties.

Secret Key

Where HS256 symmetric algorithm is chosen, Secret Key has to be provided. The minimum length of the string has to be 256 bit.

Creating a JWT policy

Generate token using postman.

Request - CURL request to generate Json Web Token:
Response - Generates json web token to access the resources.

Figure 2: Sample request via postman

Adaptavist ThemeBuilder EngineAtlassian Confluence