This documentation is for WSO2 API Manager 1.4.0 View documentation for the latest release.
Generating JSON Web Token (JWT) - API Manager 1.4.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

Given below is the configuration related to API Manager JWT generation found in <APIM_HOME>/repository/conf/api-manager.xml file.


Let's take a look at each parameter in the XML file in detail.


XML Syntax<EnableTokenGeneration/>  
DescriptionUsed to enable or disable JWT generation.
Default Valuefalse
Fixed Valuestrue/false


XML Syntax<SecurityContextHeader/>  
DescriptionThis is the name of the HTTP header to which the JWT is attached.
Default ValueX-JWT-Assertion
Fixed ValuesN/A


XML Syntax



By default, there is a set of values that are encoded to the JWT. They are subscriber name, application name, api context, api version, authorized resource owner name. In addition to these values, an extensible interface is also provided to encode any attribute of the user, required by the JWT. The fully-qualified name of the Interface is: 'org.wso2.carbon.apimgt.impl.token.ClaimsRetriever'. The methods provided in the interface are:

  • void init() throws APIManagementException;

This method is executed once right before the very first request. Any initialization tasks can be performed here.

  • SortedMap<String,String> getClaims(String endUserName) throws APIManagementException;

This method returns a SortedMap of claims. The key of the Map should indicate the 'user attribute name' and the value should indicate the corresponding 'user attribute value'. The order in which these keys and values are encoded depends on the ordering defined by the SortedMap.

  • String getDialectURI(String endUserName);

This is the dialect URI to which the attribute names returned by the getClaims() method are appended to. For example,
if the getClaims method returns {email:[email protected], gender:male } and the getDialectURI() returns, the JWT will contain “”:“[email protected]”,“”:“male” as part of the body.

The default implementation (org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever) returns the user's attributes defined under the dialect URI and the JWT will also be encoded with the same dialect URI. The order of encoding the user's attributes is the natural order of the attributes. If no value is specified, no additional claims will be encoded, except the 6 default attributes.

Default Value


Fixed ValuesN/A


XML Syntax<ConsumerDialectURI/>  
DescriptionThis is the dialect URI under which the user's claims will be looked for. This only works with the default value of <ClaimsRetrieverImplClass> element.
Default ValueN/A
Fixed ValuesN/A


XML Syntax<SignatureAlgorithm/>  

The signing algorithm used for signing the JWT. The general form of the JWT is {…...}.{......}.{......} - Three strings delimited by periods.

When NONE is used as the signing algorithm,  the JWT would look as {…..}.{.....} - Two strings delimited by a period and a period at the end.

Default ValueSHA256WITHRSA
Fixed Values
  • NONE - Signing is turned off

  • No labels