This policy verifies the generated JSON Web token. If the token value has been tampered or the token is wrong, it will not allow the user to access the resource.


The properties that have to be configured to use the policy are described below.

Figure 1: Verify Json Web Token policy configuration attributes

JWT Token IdentifierConfigure the Message Part Identifier which contains the Content Type through which the JWT is passed.

Specifies the encryption algorithm (HS256 or RS256 or ES256) which was used for generating the token.

Key ID

The Key ID value corresponding to the algorithm chosen, which is provided in the JSON web keys.


The JSON Public Keys can be provided in the following ways:

  • The Key ID and other parameters of each algorithm can be grouped into a JSON as given in the sample below:

    These JSON web keys (JWK) have to be fed into the Context Variable named "PublicJsonWebKeys" using the Assign Variables policy.


    For the JWK structure as in the sample above, refer to the link:

  • If the JSON Web keys have to be fetched from a File Store, a Callout policy can be used.

  • If the JSON Web keys are exposed in an HTTPS URL (Eg:, a Service Call Out policy can be used and the response can be assigned to Context Variables using Assign Variables policy to fetch the keys.


Subject of the JWT issued as provided in the Json Web Token policy.


Provide values for Subject, Issuer andAudience (described below) only if these values are provided in the Json Web Token policy


The "iss" (issuer) claim identifies the entity that issues the JWT. Provide the same as provided in the Json Web Token policy.


Recipient value. The audience value is comprised of comma separated strings.

This property is optional.

Additional ClaimTo provide custom claims other than the above properties.
Secret Key

Where HS256 symmetric algorithm is chosen, Secret Key has to be provided. The minimum length of the string has to be 256 bit.

Verifying a json web token


Use the following URL in the browser/postman:

JWT Token Verify URL

Attains access of the resources if the token is valid.

Adaptavist ThemeBuilder EngineAtlassian Confluence