# Create a JWT

In this step, you must create a JWT which identifies your application.

To create the JWT (JSON Web Token), specify the parameters that are required for your application in the JWT header and payload.

The JWT must be signed using your signing certificate.
Ensure that the header and payload parameters meet the following format.

### Header

| JWT header | Type   | Description                                                                         | Required |
| ---------- | ------ | ----------------------------------------------------------------------------------- | -------- |
| `kid`      | string | The key ID corresponding to your signing certificate.                               | Yes      |
| `alg`      | string | The algorithm used to sign your JWT. Currently, only `PS256` is supported.          | Yes      |

#### Example JWT header
```json
{
  "kid": "<kid>",
  "alg": "PS256"
}
```

### Payload

| JWT payload                    | Type               | Description                                                                                                                                                                                                                               | REQUIRED |
| ------------------------------ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
| `iss`                          | string             | The principal that issued the JWT.                                                                                                                                                                                                        | Yes      |
| `iat`                          | numeric            | The time the JWT was issued, which is used to determine the age of the JWT. Provided in seconds in Unix timestamp format.                                                                                                                 | Yes      |
| `exp`                          | numeric            | The expiration time starting from which the JWT must not be accepted for processing. Provided in seconds in Unix timestamp format.                                                                                                        | Yes      |
| `aud`                          | string             | The recipients for whom the JWT is intended. It must match the following regex: `^[0-9a-zA-Z]{1,18}$`. We recommend using just `revolut`.                                                                                                 | Yes      |
| `scope`                        | **string**         | The list of granted scopes, **separated by spaces**. The supported scopes are `openid` (required), `accounts`, `payments`, `fundsconfirmations`.                                                                                          | Yes      |
| `redirect_uris`                | array of strings   | The list of allowed redirect URIs.                                                                                                                                                                                                        | Yes      |
| `token_endpoint_auth_method`   | string             | The authorization method for the `token` endpoint. Currently, only `tls_client_auth` is supported.                                                                                                                                        | Yes      |
| `application_type`             | string             | The application type.                                                                                                                                                                                                                     | Yes      |
| `id_token_signed_response_alg` | string             | The signing algorithm used to sign the `id_token` JWTs. Currently, only `PS256` is supported.                                                                                                                                             | Yes      |
| `request_object_signing_alg`   | string             | The signing algorithm used to sign request objects. Currently, only `PS256` is supported.                                                                                                                                                 | Yes      |
| `tls_client_auth_dn`           | string             | The distinguished name (DN) of the transport certificate obtained in [step 3: Get your certificate's distinguished name](/docs/guides/build-banking-apps/register-your-application-using-dcr/get-your-certificates-distinguished-name).   | Yes      |
| `software_statement`           | string             | The software statement assertion (SSA) obtained in [step 2: Get the software statement](/docs/guides/build-banking-apps/register-your-application-using-dcr/get-the-software-statement).                                                  | Yes      |

#### Example JWT payload

```json
{
  "iss": "test-iss",
  "iat": 1591352490,
  "exp": 1591356090,
  "aud": "revolut",
  "scope": "openid payments accounts",
  "redirect_uris": ["https://example.com/my_callback_url"],
  "token_endpoint_auth_method": "tls_client_auth",
  "application_type": "web",
  "id_token_signed_response_alg": "PS256",
  "request_object_signing_alg": "PS256",
  "tls_client_auth_dn": "<insert tls_client_auth_dn>",
  "software_statement": "<insert software_statement>"
}
```