This documentation is for WSO2 API Manager 1.7.0 View documentation for the latest release.
Page Comparison - Passing Enduser Attributes to the Backend Using JWT (v.1 vs v.6) - API Manager 1.7.0 - WSO2 Documentation

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Configuring JWT

Given below is how to configure JWT generation in the API Manager.

  1. Open <APIM_HOME>/repository/conf/api-manager.xml file and enable JWT as follows.

    Code Block

    If you publish APIs before JWT is enabled, you have to republish them to include JWT.

  2. Configure the rest of the elements in the same XML file as described in the table below. If you do not specify values to the elements, the default values will be applied.

    ElementDescriptionDefault Value
    <SecurityContextHeader/> The name of the HTTP header to which the JWT is attached.X-JWT-Assertion

    By default, the following are encoded to the JWT:

    • subscriber name
    • application name 
    • API context
    • API version
    • authorised resource owner name

    In addition, you can also write your own class by extending the interface org.wso2.carbon.apimgt.impl.token.ClaimsRetriever. The methods in this interface are described below:


    void init() throws APIManagementException;

    Used to perform initialisation initialization tasks. Is executed once, right before the very first request.

    SortedMap<String,String> getClaims(String endUserName) throws APIManagementException;

    Returns a sorted map of claims. The key of the map indicates the user attribute name and the value indicates the corresponding user attribute value. The order in which these keys and values are encoded depends on the ordering defined by the sorted map.

    String getDialectURI(String endUserName);

    The dialect URI to which the attribute names returned by the getClaims() method are appended to. For example,
    if the getClaims method returns {email:[email protected], gender:male} and the getDialectURI() returns, the JWT will contain "”:“[email protected]”,“httpgender":"male","”:“male”email":"[email protected]" as part of the body.

    The default implementation (org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever) returns the user's attributes defined under the dialect URI and the JWT will also be encoded with the same dialect URI. The order of encoding the user's attributes is the natural order of the attributes. If no value is specified, no additional claims will be encoded, except the 6 default attributes.


    The dialect URI under which the user's claims are be looked for. Only works with the default value of <ClaimsRetrieverImplClass> element defined above.

    JWT token contains all claims define in the <ConsumerDialectURI> element. The default value of this element is To get a list of users to be included in the JWT, simply uncomment this element after enabling JWT. It will include all claims in to the JWT token.


    Taken from the shared space:

    The signing algorithm used to sign the JWT. The general format of the JWT is {token infor}.{claims list}.{signature}. When NONE is specified as the algorithm, signing is turned off and the JWT looks as {token infor}.{claims list}, with two strings delimited by a period and a period at the end.

    This element can have only two values - the default value (SHA256WITHRSA) or NONE.


In a multi-tenanted setup with JWT token generation enabled, if a user who is in a secondary user store tries to invoke an API published within the same tenant store, you get an error. This issue is fixed from 1.8.0 version onwards.