This policy verifies the generated JWS. If the signature value has been tampered or the signature is different, it will not allow the user to access the resource.


The properties that have to be configured to use the policy are described below.

Figure 1: Verify Json Web Signature Policy configuration attributes

Secret Key

Where HS256 symmetric algorithm is chosen, Secret Key has to be provided. The minimum length of the string has to be 256 bit.


Where asymmetric algorithms RS256 or ES256 is chosen, the public JSON Web Keys should be provided in any of the following ways:

  • The Key ID and other parameters of each algorithm can be grouped into a JSON as given in the sample below:

    These public JSON web keys (JWK) have to be fed into the Context Variable named "PublicJsonWebKeys" using the Assign Variables policy.


    For the JWK structure as in the sample above, refer to the link:

  • If the JSON Web keys have to be fetched from a File Store, a Callout policy can be used.

  • If the JSON Web keys are exposed in an HTTPS URL (Eg:, a Service Call Out policy can be used and the response can be assigned to Context Variables using Assign Variables policy to fetch the keys.

JWS IdentifierConfigure the Message Part Identifier which contains theContent Type through which the JWS is passed.

Detached Content

In certain cases, it will be useful to protect the integrity of the content that is not itself contained in a JWS. Perform the following actions by detaching content as follows:

  1. Create Assign Variable policy with the respective variable names and identifiers.

    Figure 2: Verify Json Web Signature Policy configuration attributes


    This sets the values in context variable with the specified names.

  2. Go to $FioranoHome/APIManagement\samples\JavaCallOuts\DetachedJWSClaim and run the compiled script. This creates a Classes directory containing a jar with compiled classes.


    The java class can be modified as per requirement.

  3. Configure Java Call Out policy using the jar created above.

  4. Configure the Verify JWS policy as explained in this page.


Use browser/postman to send the request as below:

The request contains JWS (Header and Signature) and claim as payload.


Verifies the signature and allows to access the respective resources.

Adaptavist ThemeBuilder EngineAtlassian Confluence