JOSE Implementation Policy

General Information

Policy Type

policy-jose-implementation

UI Documentation

📖 For detailed information: [UI Documentation Link - Link will be added here]

Description

JOSE Implementation policy generates JOSE (JSON Object Signing and Encryption) tokens including JWT (JSON Web Token), JWE (JSON Web Encryption), and JWS (JSON Web Signature). It can create signed and/or encrypted tokens with custom claims, expiration times, and other JWT standard fields.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

---

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header	Value
Authorization	Bearer {token}

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [],
        "responsePolicyList": [
          {
            "type": "policy-jose-implementation",
            "name": "jose-implementation-policy",
            "description": "Generate JOSE tokens",
            "active": true,
            "joseTarget": "BODY",
            "joseTargetVariable": null,
            "jwtClaimsClaim": null,
            "escapeJsonString": false,
            "addIssueTime": true,
            "addJWTID": true,
            "addIssuer": true,
            "issuer": "https://myapi.com",
            "addAudience": true,
            "audienceList": ["api://myapi"],
            "addSubject": true,
            "subject": "user123",
            "addTypeToHeader": true,
            "typeValue": "JWT",
            "addExpirationTime": true,
            "expirationTimeValue": 3600,
            "expirationTimeUnit": "SECONDS",
            "additionalClaimMap": {
              "role": {
                "value": "admin",
                "valueType": "STRING"
              }
            },
            "sign": true,
            "signByIssuer": true,
            "jwkIdForValidationAndSign": null,
            "encrypt": true,
            "encryptByIssuer": true,
            "jwkIdForDecryptionAndEncryption": null,
            "encryptionMethod": "A128CBC_HS256",
            "encodedClaimsTargetForDataManipulation": "BODY",
            "decodedClaimsTargetVariableForDataManipulation": null
          }
        ],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

---

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example - Basic JWT Generation

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate signed JWT tokens",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 3600,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      },
      "permissions": {
        "value": "read,write",
        "valueType": "STRING_LIST"
      }
    },
    "sign": true,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": false,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": null,
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Full JSON Body Example - Signed and Encrypted JWE

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate signed and encrypted JWE tokens",
    "active": true,
    "joseTarget": "AUTHORIZATION_HEADER",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 3600,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      }
    },
    "sign": true,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": true,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": "A128CBC_HS256",
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Full JSON Body Example - Using Proxy JWK

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate JWT using proxy JWK",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 3600,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {},
    "sign": true,
    "signByIssuer": false,
    "jwkIdForValidationAndSign": "my-signing-jwk-id",
    "encrypt": true,
    "encryptByIssuer": false,
    "jwkIdForDecryptionAndEncryption": "my-encryption-jwk-id",
    "encryptionMethod": "A256GCM",
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Full JSON Body Example - Minimal Configuration

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate minimal JWT",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": false,
    "addJWTID": false,
    "addIssuer": false,
    "issuer": null,
    "addAudience": false,
    "audienceList": [],
    "addSubject": false,
    "subject": null,
    "addTypeToHeader": false,
    "typeValue": null,
    "addExpirationTime": false,
    "expirationTimeValue": null,
    "expirationTimeUnit": null,
    "additionalClaimMap": {
      "custom": {
        "value": "value",
        "valueType": "STRING"
      }
    },
    "sign": false,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": false,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": null,
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Full JSON Body Example - Variable Target

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate JWT to variable",
    "active": true,
    "joseTarget": "CHOOSE_FROM_VARIABLE",
    "joseTargetVariable": {
      "type": "HEADER",
      "headerName": "X-JWT-Token"
    },
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 3600,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {},
    "sign": true,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": false,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": null,
    "encodedClaimsTargetForDataManipulation": "CHOOSE_FROM_VARIABLE",
    "decodedClaimsTargetVariableForDataManipulation": {
      "type": "HEADER",
      "headerName": "X-Encoded-Claims"
    }
  }
}

Request Body Fields

operationMetadata

Field	Type	Required	Default	Description
targetScope	string	Yes	-	Policy scope: ALL or ENDPOINT
targetEndpoint	string	No*	-	Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod	string	No*	-	HTTP method (required if targetScope=ENDPOINT)
targetPipeline	string	Yes	-	Pipeline: REQUEST, RESPONSE, or ERROR
deploy	boolean	No	true	Whether to deploy after adding policy
deployTargetEnvironmentNameList	array	No	[]	List of environment names to deploy to
order	integer	No	null	Policy execution order (starts from 1)

Enum: targetScope

• ALL - Policy applies to all endpoints
• ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

• REQUEST - Executes in request pipeline (generates tokens for requests)
• RESPONSE - Executes in response pipeline (generates tokens for responses)
• ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

• GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD

policy

Field	Type	Required	Default	Description
type	string	Yes	-	Policy type: policy-jose-implementation
description	string	No	-	Policy description
active	boolean	No	true	Whether policy is active
joseTarget	string	Yes	BODY	JOSE target location. See EnumJoseImplementationSignedTarget
joseTargetVariable	object	No*	null	Variable for JOSE target (required if joseTarget=CHOOSE_FROM_VARIABLE). See VariableDTO
jwtClaimsClaim	string	No	null	JWT claims claim name (for nested claims)
escapeJsonString	boolean	No	false	Whether to escape JSON string values
addIssueTime	boolean	No	true	Whether to add issue time (iat) to JWT
addJWTID	boolean	No	true	Whether to add JWT ID (jti) to JWT
addIssuer	boolean	No	true	Whether to add issuer (iss) to JWT
issuer	string	No*	null	Issuer value (required if addIssuer=true)
addAudience	boolean	No	true	Whether to add audience (aud) to JWT
audienceList	array	No*	[]	Audience list (required if addAudience=true, at least one required)
addSubject	boolean	No	true	Whether to add subject (sub) to JWT
subject	string	No*	null	Subject value (required if addSubject=true)
addTypeToHeader	boolean	No	true	Whether to add type (typ) to header
typeValue	string	No*	null	Type value (required if addTypeToHeader=true)
addExpirationTime	boolean	No	true	Whether to add expiration time (exp) to JWT
expirationTimeValue	integer	No*	null	Expiration time value (required if addExpirationTime=true, must be > 0)
expirationTimeUnit	string	No*	null	Expiration time unit (required if addExpirationTime=true). See EnumTimeUnit
additionalClaimMap	object	No	{}	Map of additional claims. See MapValue
sign	boolean	No	true	Whether to sign JWT
signByIssuer	boolean	No	true	Sign by issuer (true) or by proxy’s JWK (false)
jwkIdForValidationAndSign	string	No*	null	JWK ID for validation and signing (required if sign=true and signByIssuer=false)
encrypt	boolean	No	true	Whether to encrypt JWT
encryptByIssuer	boolean	No	true	Encrypt by issuer (true) or by proxy’s JWK (false)
jwkIdForDecryptionAndEncryption	string	No*	null	JWK ID for decryption and encryption (required if encrypt=true and encryptByIssuer=false)
encryptionMethod	string	No*	null	Encryption method (required if encrypt=true). See EnumJwkEncryptionMethod
encodedClaimsTargetForDataManipulation	string	No	BODY	Target for encoded claims data manipulation. See EnumJoseTarget
decodedClaimsTargetVariableForDataManipulation	object	No*	null	Variable for encoded claims target (required if encodedClaimsTargetForDataManipulation=CHOOSE_FROM_VARIABLE). See VariableDTO

EnumJoseImplementationSignedTarget

• BODY - Place JOSE token in request/response body
• AUTHORIZATION_HEADER - Place JOSE token in Authorization header
• CHOOSE_FROM_VARIABLE - Place JOSE token location specified by variable (requires joseTargetVariable)
• EMPTY - Do not place token (for internal use only)

EnumTimeUnit

• MILLI_SECONDS - Milliseconds
• SECONDS - Seconds
• MINUTES - Minutes
• HOURS - Hours
• DAYS - Days
• WEEKS - Weeks
• MONTHS - Months
• YEARS - Years

EnumJwkEncryptionMethod

• A128CBC_HS256 - AES-128-CBC with HMAC-SHA-256 (recommended)
• A192CBC_HS384 - AES-192-CBC with HMAC-SHA-384
• A256CBC_HS512 - AES-256-CBC with HMAC-SHA-512
• A128CBC_HS256_DEPRECATED - AES-128-CBC with HMAC-SHA-256 (deprecated)
• A256CBC_HS512_DEPRECATED - AES-256-CBC with HMAC-SHA-512 (deprecated)
• A128GCM - AES-128-GCM
• A192GCM - AES-192-GCM
• A256GCM - AES-256-GCM (recommended for GCM)
• XC20P - XChaCha20-Poly1305

EnumJoseTarget

• BODY - Place encoded claims in request/response body
• AUTHORIZATION_HEADER - Place encoded claims in Authorization header
• CHOOSE_FROM_VARIABLE - Place encoded claims in variable (requires decodedClaimsTargetVariableForDataManipulation)

Note

• If joseTarget: CHOOSE_FROM_VARIABLE, joseTargetVariable is required.
• If addIssuer: true, issuer is required.
• If addAudience: true, audienceList is required and must contain at least one value.
• If addSubject: true, subject is required.
• If addTypeToHeader: true, typeValue is required.
• If addExpirationTime: true, both expirationTimeValue (must be > 0) and expirationTimeUnit are required.
• If sign: true and signByIssuer: false, jwkIdForValidationAndSign is required.
• If encrypt: true, encryptionMethod is required.
• If encrypt: true and encryptByIssuer: false, jwkIdForDecryptionAndEncryption is required.
• If encodedClaimsTargetForDataManipulation: CHOOSE_FROM_VARIABLE, decodedClaimsTargetVariableForDataManipulation is required.

VariableDTO

Field	Type	Required	Default	Description
id	string	No	-	Variable ID (if referencing existing variable)
projectId	string	No	-	Project ID (if referencing existing variable)
name	string	No*	-	Variable name (required if id not provided)
description	string	No	-	Variable description
type	string	Yes	-	Variable type: HEADER, PARAMETER, BODY, CONTEXT_VALUES, CUSTOM
headerName	string	No*	-	Header name (required if type=HEADER)
paramType	string	No*	-	Parameter type: QUERY, PATH, FORM (required if type=PARAMETER)
paramName	string	No*	-	Parameter name (required if type=PARAMETER)
paramPath	string	No	-	Parameter path
formName	string	No	-	Form name (for form parameters)
xpathValue	string	No*	-	XPath value (required if type=BODY and content is XML)
jsonPathValue	string	No*	-	JSONPath value (required if type=BODY and content is JSON)
bodyJsonPath	string	No*	-	JSONPath value (alternative to jsonPathValue)
messageContentType	string	No*	-	Message content type: JSON, XML, FORM (required if type=BODY)
contextValue	string	No*	-	Context value (required if type=CONTEXT_VALUES)
zoneId	string	No	-	Zone ID (for date context values)
initWithScript	boolean	No	false	Initialize with script
scriptLanguage	string	No	-	Script language: GROOVY, JAVASCRIPT (required if initWithScript=true)
scriptBody	string	No	-	Script body (required if initWithScript=true)

EnumVariableType

• HEADER - HTTP header
• PARAMETER - Query/path/form parameter
• BODY - Request/response body
• CONTEXT_VALUES - Context values (e.g., current time, IP address)
• CUSTOM - Custom variable (script-based)

EnumVariableParameterType

• QUERY - Query parameter
• PATH - Path parameter
• FORM - Form parameter

EnumMessageContentType

• JSON - JSON content
• XML - XML content
• FORM - Form content

EnumVariableContextValue

• CURRENT_TIME - Current timestamp
• CURRENT_DATE - Current date
• CLIENT_IP - Client IP address
• CLIENT_PORT - Client port
• SERVER_IP - Server IP address
• SERVER_PORT - Server port
• REQUEST_METHOD - HTTP request method
• REQUEST_URI - Request URI
• REQUEST_PATH - Request path
• REQUEST_QUERY_STRING - Query string
• REQUEST_PROTOCOL - Request protocol
• REQUEST_HOST - Request host
• REQUEST_SCHEME - Request scheme
• RESPONSE_STATUS_CODE - Response status code
• RESPONSE_STATUS_TEXT - Response status text
• API_PROXY_NAME - API Proxy name
• API_PROXY_ID - API Proxy ID
• ENDPOINT_NAME - Endpoint name
• ENDPOINT_ID - Endpoint ID
• ENVIRONMENT_NAME - Environment name
• ENVIRONMENT_ID - Environment ID
• PROJECT_NAME - Project name
• PROJECT_ID - Project ID
• USER_NAME - User name
• USER_ID - User ID
• ORGANIZATION_NAME - Organization name
• ORGANIZATION_ID - Organization ID
• ZONE_ID - Zone ID
• TIMEZONE_ID - Timezone ID

EnumScriptType

• GROOVY - Groovy script
• JAVASCRIPT - JavaScript script

MapValue

Field	Type	Required	Default	Description
value	string	Yes	-	Claim value
valueType	string	No	STRING	Value type. See MapValueType

MapValueType

• STRING - String value
• BOOLEAN - Boolean value
• INTEGER - Integer value
• LONG - Long value
• DOUBLE - Double value
• FLOAT - Float value
• STRING_LIST - String list (comma-separated)
• URI - URI value

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/jose-implementation-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "RESPONSE",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-jose-implementation",
      "description": "Generate signed JWT tokens",
      "active": true,
      "joseTarget": "BODY",
      "addIssueTime": true,
      "addJWTID": true,
      "addIssuer": true,
      "issuer": "https://myapi.com",
      "addAudience": true,
      "audienceList": ["api://myapi"],
      "addSubject": true,
      "subject": "user123",
      "addTypeToHeader": true,
      "typeValue": "JWT",
      "addExpirationTime": true,
      "expirationTimeValue": 3600,
      "expirationTimeUnit": "SECONDS",
      "sign": true,
      "signByIssuer": true,
      "encrypt": false
    }
  }'

---

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Updated: Generate signed JWT tokens with encryption",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi", "api://partners"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 7200,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      },
      "permissions": {
        "value": "read,write,delete",
        "valueType": "STRING_LIST"
      },
      "department": {
        "value": "engineering",
        "valueType": "STRING"
      }
    },
    "sign": true,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": true,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": "A256GCM",
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

---

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

---

Notes and Warnings

• JOSE Target:
  • BODY - Token is placed in request/response body
  • AUTHORIZATION_HEADER - Token is placed in Authorization header (standard Bearer token)
  • CHOOSE_FROM_VARIABLE - Token location is dynamic (specified by variable)
  • EMPTY - Token is not placed (for internal use only)
• Standard Claims:
  • iat (Issue Time) - Added when addIssueTime: true
  • jti (JWT ID) - Added when addJWTID: true
  • iss (Issuer) - Added when addIssuer: true (requires issuer)
  • aud (Audience) - Added when addAudience: true (requires audienceList)
  • sub (Subject) - Added when addSubject: true (requires subject)
  • exp (Expiration Time) - Added when addExpirationTime: true (requires expirationTimeValue and expirationTimeUnit)
  • typ (Type) - Added to header when addTypeToHeader: true (requires typeValue)
• Signing:
  • JWT can be signed for integrity and authenticity
  • Signing key can come from issuer credentials or proxy JWK
  • When signByIssuer: false, jwkIdForValidationAndSign is required
• Encryption:
  • JWT can be encrypted to create JWE (JSON Web Encryption)
  • Encryption method must be specified when encrypt: true
  • Encryption key can come from issuer credentials or proxy JWK
  • When encryptByIssuer: false, jwkIdForDecryptionAndEncryption is required
• Encryption Methods:
  • A128CBC_HS256, A192CBC_HS384, A256CBC_HS512 - AES-CBC with HMAC (recommended)
  • A128GCM, A192GCM, A256GCM - AES-GCM (recommended for GCM)
  • XC20P - XChaCha20-Poly1305 (modern, secure)
  • Deprecated methods should be avoided
• Additional Claims:
  • Custom claims can be added via additionalClaimMap
  • Claims support various value types (STRING, BOOLEAN, INTEGER, LONG, DOUBLE, FLOAT, STRING_LIST, URI)
• Escape JSON String:
  • When escapeJsonString: true, JSON string values are escaped
  • Useful for nested JSON structures
• Performance: JOSE token generation adds cryptographic processing overhead. Use for necessary security only.
• Pipeline:
  • REQUEST pipeline generates tokens for outgoing requests
  • RESPONSE pipeline generates tokens for outgoing responses
• Error Handling: Invalid configuration or JWK failure causes policy to fail
• Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.

Related Documentation

• List Policies - List all policies
• Add Policy - General policy addition guide
• Update Policy - General policy update guide
• Delete Policy - General policy deletion guide
• JOSE Validation Policy - Validate JOSE tokens