JWT
Create and validate JSON Web Tokens (JWTs) using Connection-based signing and validation settings.
Revision History
0.0.0.1 - Initial release.
0.0.0.2 - Updated discovery URL Connection property to use OIDC metadata URL.
Setup Notes
- Use
Methodon the Connection to switch between token creation settings and token validation settings. - For signed token creation, install the certificate on a local Runtime and provide the certificate thumbprint.
- If
Certificate Thumbprintis empty duringCreate, the token is generated unsigned for inspection-only scenarios.
Connection
| Parameter | Type | Applies To | Description |
|---|---|---|---|
Method |
List | All | Selects which Connection settings are used: Create or Validate. |
Certificate Store Location |
List | Create |
Certificate store location used to find the signing certificate. Default: CurrentUser. |
Certificate Store Name |
List | Create |
Certificate store name used to find the signing certificate. Default: My. |
Certificate Thumbprint |
String | Create |
Thumbprint used to resolve the signing certificate. Leave empty to create an unsigned token. |
Signing Keys |
Multiline Text | Validate |
Public signing keys used to validate the token signature. |
Clock Skew In Minutes |
Integer | Validate |
Time drift tolerance when validating lifetime values. Default: 5. |
Validate If Token Is Signed |
Boolean | Validate |
Checks whether the token signing state is acceptable for validation. Default: true. |
Validate Expiration |
Boolean | Validate |
Validates token expiration (exp). Default: true. |
Validate Lifetime |
Boolean | Validate |
Validates token lifetime windows. Default: true. |
Validate Audience |
Boolean | Validate |
Validates token audience against Audience. Default: true. |
Audience |
String | Validate |
Expected audience value. |
Validate Issuer |
Boolean | Validate |
Validates token issuer against Issuers. Default: true. |
Issuers |
Multiline Text | Validate |
Expected token issuer value(s). |
Issuer Validation Mode |
List | Validate |
Controls how issuer values are matched. Default: ExactMatch. |
OIDC metadata URL |
String | Validate |
The OpenID Connect discovery endpoint used to automatically retrieve configuration and signing keys when explicit signing keys are not provided. |
Issuer Validation Mode values:
ExactMatch- Issuer must match exactly.StartsWith- Issuer must start with one configured value.AnyOf- Issuer must match any configured value.
Methods
Create
Creates a JWT and optionally signs it with an RSA certificate private key. This needs to run on a local Runtime.
| Parameter | Type | Notes |
|---|---|---|
Connection |
Connection | JWT Connection configured. |
Issuer |
String | Optional issuer value for the token. |
Audience |
String | Optional audience value for the token. |
ExpiresMinutes |
Integer | Minutes from now until token expiry. Default: 1. |
Claims |
Object | Optional object of custom claims. |
| Return | Type | Notes |
|---|---|---|
Token |
String | Encoded JWT string. |
Validate
Validates a JWT and returns a structured validation result.
| Parameter | Type | Notes |
|---|---|---|
Connection |
Connection | JWT Connection configured. |
Token |
String | Segmented JWT token. At least 3 segments are required. |
EnableValidation |
Boolean | When false, all validation checks are bypassed and the payload is returned for inspection. Use with caution. Default: true. |
SigningKeys |
Multiline Text | Optional node-level signing keys. When provided, these keys are used before Connection-level keys. |
| Return | Type | Notes |
|---|---|---|
ValidationResult |
Object | Structured result including token data, validity state, and validation error details when invalid. |
Usage Notes
- Signing key priority for validation:
SigningKeysmethod parameter.Signing Keyson the Connection.- Keys resolved from
JWKS URI. - If no keys can be resolved and validation requires signature checks, validation fails.
- Use
EnableValidation = falseonly when you need to inspect payload content without enforcing trust checks.