Work with JSON Web Tokens
This short guide shows how to create a JSON Web Token when working with our Open Banking API.
JSON Web Tokens (JWTs) are required in several steps when working with all the Payment initiation endpoints.
They are composed of a base64-encoded header, payload and cryptographic signature, separated by a dot ., and as such, are similar to JSON Web Signatures (JWSs).
Prerequisites
To work with JWT, you must first prepare:
- A signing key and signing certificate pair
- A JWKs URL at which your JSON Web Key (JWK) is publicly available
- A JWT library to cryptographically create a JSON Web Token
To learn how to obtain them for testing purposes, see Get Started: Prepare your Sandbox environment.
Header
The header section of the JWT contains mandatory parameters to validate the signature of payment requests.
You must provide the kid parameter of your signing certificate.
| Field | Description |
|---|---|
alg | Algorithm used for signature, always PS256 |
kid | The kid parameter of your signing key / certificate |
This is a template JWT header that you can copy and fill with your own kid value:
{
"alg": "PS256",
"kid": "<kid parameter of your signing certificate>"
}
Payload
In the case of JWT, the payload will be the JSON payload of the API request.
For demonstration purposes, in this guide we are using this sample JSON payload:
{
"response_type": "code id_token",
"client_id": "d363951f-0f70-43e9-80e6-db9b0c578061",
"redirect_uri": "https://example.com",
"scope": "payments",
"claims": {
"id_token": {
"openbanking_intent_id": {
"value": "43e56447-4088-4111-a6e8-1eef585645a7"
}
}
}
}
Signature
To compute the signature, you can use any library that is compatible with your environment.
For example, in JavaScript, a library such as jsrsasign can be used.
private_key = "---abc---";
header = {
"alg": "PS256",
"kid": "abc123"
};
payload = {
"response_type": "code id_token",
"client_id": "d363951f-0f70-43e9-80e6-db9b0c578061",
"redirect_uri": "https://example.com",
"scope": "payments",
"claims": {
"id_token": {
"openbanking_intent_id": {
"value": "43e56447-4088-4111-a6e8-1eef585645a7"
}
}
}
};
sJWT = KJUR.jws.JWS.sign("PS256", header, payload, private_key);
Full JWT
The final JWT for the above header and payload would result in:
eyJhbGciOiJQUzI1NiIsImtpZCI6ImFiYzEyMyJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6ImQzNjM5NTFmLTBmNzAtNDNlOS04MGU2LWRiOWIwYzU3ODA2MSIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20iLCJzY29wZSI6InBheW1lbnRzIiwiY2xhaW1zIjp7ImlkX3Rva2VuIjp7Im9wZW5iYW5raW5nX2ludGVudF9pZCI6eyJ2YWx1ZSI6IjQzZTU2NDQ3LTQwODgtNDExMS1hNmU4LTFlZWY1ODU2NDVhNyJ9fX19.jVM_DvUkBkN5HVtsG1GyEjC--------shNdHoAphHInCxU72eC4UOfzS4rUoBJDwThe payload section above was bolded to highlight the three sections composing a JWT and facilitate reading.
For the signature section of the JWT, we have used an arbitrary string.
What's next
- Initiate your first payment
- Test a payment consent with Postman
- Check out API reference for Domestic payments