Credential Injection JWT Generation Policy
Policy Name |
Credential Injection JWT Generation |
Summary |
Generates and injects a JWT token into outgoing requests |
Category |
Security |
First Flex Gateway version available |
v1.12.0 |
Returned Status Codes |
No return codes exist for this policy. Error codes are returned from the upstream service. |
Summary
The Credential Injection JWT Generation policy generates and injects a JWT token into outgoing requests. It signs the token with the configured key and algorithm and supports standard time-based claims, such as exp, iat, and nbf, in addition to custom claims and JWT headers. Each claim and header name and value can be a string or a DataWeave expression. Expressions can reference request attributes or authentication data.
Configuring Policy Parameters
Flex Gateway Local Mode
In Local Mode, you apply the policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:
- policyRef:
name: jwt-generation-flex
config:
signingMethod: <string> // REQUIRED, default: RS256
privateKey: <string> // REQUIRED
iat: <boolean> // REQUIRED, default: true
exp: <number> // REQUIRED, default: 0
nbf: <number> // REQUIRED, default: 0
customClaims: // REQUIRED (can be empty array)
- name: <string>
value: <string>
customHeaders: // REQUIRED (can be empty array)
- name: <string>
value: <string>
| Parameter | Required or Optional | Default Value | Description |
|---|---|---|---|
|
Required |
|
The algorithm that signs the JWT. Supported values: |
|
Required |
N/A |
The key that signs the JWT. Use PEM-formatted pkcs8 for RSA and ES. Use plain text for HS. |
|
Required |
|
A Boolean value specifying whether to include the issued-at (iat) claim in the JWT. |
|
Required |
|
The number of seconds from the issue time until expiration. To omit the |
|
Required |
|
The number of seconds from the issue time until the token becomes valid. To omit the |
|
Required |
N/A |
The claims to include in the JWT. Each entry has a |
|
Required |
N/A |
The JWT header parameters to include. Each entry has a |
Resource Configuration Examples
-
HMAC-signed JWT with custom claim:
- policyRef: name: jwt-generation-flex config: signingMethod: HS256 privateKey: my-secret-key iat: true exp: 3600 nbf: 0 customClaims: - name: "sub" value: "#[authentication.properties.clientId default 'anonymous']" customHeaders: [] -
RSA-signed JWT with custom claims and headers:
- policyRef: name: jwt-generation-flex config: signingMethod: RS256 privateKey: | -----BEGIN PRIVATE KEY----- <your-private-key> -----END PRIVATE KEY----- iat: true exp: 7200 nbf: 0 customClaims: - name: "aud" value: "'https://upstream.example.com'" - name: "client_id" value: "#[authentication.properties.clientId]" customHeaders: - name: "kid" value: "'key-1'"
Managed Flex Gateway and Flex Gateway Connected Mode
When you apply the policy to your API instance from the UI, the following parameters are displayed:
| Parameter | Description | Required? |
|---|---|---|
Signing Method |
The algorithm that signs the JWT. Valid values are RS256, RS384, RS512, HS256, HS384, HS512, ES256, and ES384. |
Required |
Private Key |
The key that signs the JWT. Use PEM with pkcs8 for RSA and ES. Use plain text for HS. |
Required |
Issued At (iat) |
A Boolean value specifying whether to include the issued-at ( |
Required |
Expiration (exp) |
The number of seconds from the issue time until expiration. To omit the |
Required |
Not Before (nbf) |
The number of seconds from the issue time until the token becomes valid. To omit the |
Required |
Custom Claims |
The claims to include in the JWT. Each entry has a |
Required |
Custom Headers |
The JWT header parameters to include. Each entry has a |
Required |