This documentation is for WSO2 API Manager 1.5.0 View documentation for the latest release.
Generating JSON Web Token (JWT) - API Manager 1.5.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

Given below is the configuration related to API Manager JWT generation found in <APIM_HOME>/repository/conf/api-manager.xml file.


NOTE: In a distributed API Manager setup, you need to enable JWT generation in all Key Manager and publisher nodes. After enabling JWT, a new class mediator is added to the definitions of new APIs. As the APIs that are already created do not have this new class, you must recreate them for JWT to work properly.

Let's take a look at each parameter in the XML file in detail.


XML Syntax<EnableTokenGeneration/>  
DescriptionUsed to enable or disable JWT generation.
Default Valuefalse
Fixed Valuestrue/false

If you publish APIs before JWT is enabled, you have to republish them to include JWT.


XML Syntax<SecurityContextHeader/>  
DescriptionThis is the name of the HTTP header to which the JWT is attached.
Default ValueX-JWT-Assertion
Fixed ValuesN/A


XML Syntax



By default, there is a set of values that are encoded to the JWT. They are subscriber name, application name, api context, api version, authorized resource owner name. In addition to these values, an extensible interface is also provided to encode any attribute of the user, required by the JWT. The fully-qualified name of the Interface is: 'org.wso2.carbon.apimgt.impl.token.ClaimsRetriever'. The methods provided in the interface are:

  • void init() throws APIManagementException;

This method is executed once right before the very first request. Any initialization tasks can be performed here.

  • SortedMap<String,String> getClaims(String endUserName) throws APIManagementException;

This method returns a SortedMap of claims. The key of the Map should indicate the 'user attribute name' and the value should indicate the corresponding 'user attribute value'. The order in which these keys and values are encoded depends on the ordering defined by the SortedMap.

  • String getDialectURI(String endUserName);

This is the dialect URI to which the attribute names returned by the getClaims() method are appended to. For example,
if the getClaims method returns {email:[email protected], gender:male } and the getDialectURI() returns, the JWT will contain “”:“[email protected]”,“”:“male” as part of the body.

The default implementation (org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever) returns the user's attributes defined under the dialect URI and the JWT will also be encoded with the same dialect URI. The order of encoding the user's attributes is the natural order of the attributes. If no value is specified, no additional claims will be encoded, except the 6 default attributes.

Default Value


Fixed ValuesN/A


XML Syntax<ConsumerDialectURI/>  
DescriptionThis is the dialect URI under which the user's claims will be looked for. This only works with the default value of <ClaimsRetrieverImplClass> element.
Default ValueN/A
Fixed ValuesN/A


XML Syntax<SignatureAlgorithm/>  

The signing algorithm used for signing the JWT. The general form of the JWT is {…...}.{......}.{......} - Three strings delimited by periods.

When NONE is used as the signing algorithm,  the JWT would look as {…..}.{.....} - Two strings delimited by a period and a period at the end.

Default ValueSHA256WITHRSA
Fixed Values
  • NONE - Signing is turned off

  • No labels