Guides • Build Banking Apps
Work with JSON Web Tokens
doc

Work with JSON Web Tokens

This short guide shows how to create a JSON Web Token when working with our Open Banking API.

JSON Web Tokens (JWTs) are required in several steps when working with all the Payment initiation endpoints.

They are composed of a base64-encoded header, payload and cryptographic signature, separated by a dot ., and as such, are similar to JSON Web Signatures (JWSs).

Prerequisites

To work with JWT, you must first prepare:

  • A signing key and signing certificate pair
  • A JWKs URL at which your JSON Web Key (JWK) is publicly available
  • A JWT library to cryptographically create a JSON Web Token

To learn how to obtain them for testing purposes, see Get Started: Prepare your Sandbox environment.

The header section of the JWT contains mandatory parameters to validate the signature of payment requests.

You must provide the kid parameter of your signing certificate.

FieldDescription
algAlgorithm used for signature, always PS256
kidThe kid parameter of your signing key / certificate

This is a template JWT header that you can copy and fill with your own kid value:


{
"alg": "PS256",
"kid": "<kid parameter of your signing certificate>"
}

Payload

In the case of JWT, the payload will be the JSON payload of the API request.

For demonstration purposes, in this guide we are using this sample JSON payload:

{
"response_type": "code id_token",
"client_id": "d363951f-0f70-43e9-80e6-db9b0c578061",
"redirect_uri": "https://example.com",
"scope": "payments",
"claims": {
"id_token": {
"openbanking_intent_id": {
"value": "43e56447-4088-4111-a6e8-1eef585645a7"
}
}
}
}

Signature

To compute the signature, you can use any library that is compatible with your environment.

For example, in JavaScript, a library such as jsrsasign can be used.


private_key = "---abc---";

header = {
"alg": "PS256",
"kid": "abc123"
};

payload = {
"response_type": "code id_token",
"client_id": "d363951f-0f70-43e9-80e6-db9b0c578061",
"redirect_uri": "https://example.com",
"scope": "payments",
"claims": {
"id_token": {
"openbanking_intent_id": {
"value": "43e56447-4088-4111-a6e8-1eef585645a7"
}
}
}
};

sJWT = KJUR.jws.JWS.sign("PS256", header, payload, private_key);

Full JWT

The final JWT for the above header and payload would result in:

eyJhbGciOiJQUzI1NiIsImtpZCI6ImFiYzEyMyJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6ImQzNjM5NTFmLTBmNzAtNDNlOS04MGU2LWRiOWIwYzU3ODA2MSIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20iLCJzY29wZSI6InBheW1lbnRzIiwiY2xhaW1zIjp7ImlkX3Rva2VuIjp7Im9wZW5iYW5raW5nX2ludGVudF9pZCI6eyJ2YWx1ZSI6IjQzZTU2NDQ3LTQwODgtNDExMS1hNmU4LTFlZWY1ODU2NDVhNyJ9fX19.jVM_DvUkBkN5HVtsG1GyEjC--------shNdHoAphHInCxU72eC4UOfzS4rUoBJDw

The payload section above was bolded to highlight the three sections composing a JWT and facilitate reading.

note

For the signature section of the JWT, we have used an arbitrary string.

What's next

Was this page helpful?