This short guide shows how to create a JSON Web Token when working with our Open Banking API.
JSON Web Tokens (JWTs) are required in several steps when working with all the Payment initiation endpoints.
They are composed of a base64-encoded header, payload and cryptographic signature, separated by a dot .
, and as such, are similar to JSON Web Signatures (JWSs).
To work with JWT, you must first prepare:
To learn how to obtain them for testing purposes, see Get Started: Prepare your Sandbox environment.
The header section of the JWT contains mandatory parameters to validate the signature of payment requests.
You must provide the kid
parameter of your signing certificate.
Field | Description |
---|---|
alg | Algorithm used for signature, always PS256 |
kid | The kid parameter of your signing key / certificate |
This is a template JWT header that you can copy and fill with your own kid
value:
{
"alg": "PS256",
"kid": "<kid parameter of your signing certificate>"
}
In the case of JWT, the payload will be the JSON payload of the API request.
For demonstration purposes, in this guide we are using this sample JSON payload:
{
"response_type": "code id_token",
"client_id": "d363951f-0f70-43e9-80e6-db9b0c578061",
"redirect_uri": "https://example.com",
"scope": "payments",
"claims": {
"id_token": {
"openbanking_intent_id": {
"value": "43e56447-4088-4111-a6e8-1eef585645a7"
}
}
}
}
To compute the signature, you can use any library that is compatible with your environment.
For example, in JavaScript, a library such as jsrsasign can be used.
private_key = "---abc---";
header = {
"alg": "PS256",
"kid": "abc123"
};
payload = {
"response_type": "code id_token",
"client_id": "d363951f-0f70-43e9-80e6-db9b0c578061",
"redirect_uri": "https://example.com",
"scope": "payments",
"claims": {
"id_token": {
"openbanking_intent_id": {
"value": "43e56447-4088-4111-a6e8-1eef585645a7"
}
}
}
};
sJWT = KJUR.jws.JWS.sign("PS256", header, payload, private_key);
The final JWT for the above header and payload would result in:
eyJhbGciOiJQUzI1NiIsImtpZCI6ImFiYzEyMyJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6ImQzNjM5NTFmLTBmNzAtNDNlOS04MGU2LWRiOWIwYzU3ODA2MSIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20iLCJzY29wZSI6InBheW1lbnRzIiwiY2xhaW1zIjp7ImlkX3Rva2VuIjp7Im9wZW5iYW5raW5nX2ludGVudF9pZCI6eyJ2YWx1ZSI6IjQzZTU2NDQ3LTQwODgtNDExMS1hNmU4LTFlZWY1ODU2NDVhNyJ9fX19.jVM_DvUkBkN5HVtsG1GyEjC--------shNdHoAphHInCxU72eC4UOfzS4rUoBJDw
The payload section above was bolded to highlight the three sections composing a JWT and facilitate reading.
For the signature section of the JWT, we have used an arbitrary string.