JOSE Validation Policy

General Information

Policy Type

policy-jose-validation

UI Documentation

📖 For detailed information: [UI Documentation Link - Link will be added here]

Description

JOSE Validation policy validates JOSE (JSON Object Signing and Encryption) tokens including JWT (JSON Web Token), JWE (JSON Web Encryption), and JWS (JSON Web Signature). It can validate signatures, decrypt encrypted tokens, verify claims, and extract client information from tokens.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

---

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header	Value
Authorization	Bearer {token}

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-jose-validation",
            "name": "jose-validation-policy",
            "description": "Validate JOSE tokens",
            "active": true,
            "joseTarget": "BODY",
            "joseTargetVariable": null,
            "clientSourcePart": "CLAIMS",
            "clientSourceVariable": null,
            "clientFieldname": "iss",
            "acceptedAudienceList": ["api://myapi"],
            "exactMatchClaimMap": {
              "role": {
                "value": "admin",
                "valueType": "STRING"
              }
            },
            "requiredClaimList": ["sub", "exp"],
            "prohibitedClaimList": [],
            "validateExpirationTime": true,
            "validateSign": true,
            "validateByIssuer": true,
            "validateACLforIssuer": true,
            "jwkIdForValidationAndSign": null,
            "decrypt": true,
            "decryptByIssuer": true,
            "jwkIdForDecryptionAndEncryption": null,
            "stripAndDecode": "NONE",
            "jwtClaimsToDecode": null,
            "decodedClaimsTargetForDataManipulation": "BODY",
            "decodedClaimsTargetVariableForDataManipulation": null
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

---

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example - Basic Validation

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-validation",
    "description": "Validate JOSE tokens from request body",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "clientSourcePart": "CLAIMS",
    "clientSourceVariable": null,
    "clientFieldname": "iss",
    "acceptedAudienceList": ["api://myapi"],
    "exactMatchClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      }
    },
    "requiredClaimList": ["sub", "exp"],
    "prohibitedClaimList": [],
    "validateExpirationTime": true,
    "validateSign": true,
    "validateByIssuer": true,
    "validateACLforIssuer": true,
    "jwkIdForValidationAndSign": null,
    "decrypt": true,
    "decryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "stripAndDecode": "NONE",
    "jwtClaimsToDecode": null,
    "decodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Full JSON Body Example - From Authorization Header

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-validation",
    "description": "Validate JOSE tokens from Authorization header",
    "active": true,
    "joseTarget": "AUTHORIZATION_HEADER",
    "joseTargetVariable": null,
    "clientSourcePart": "CLAIMS",
    "clientSourceVariable": null,
    "clientFieldname": "iss",
    "acceptedAudienceList": ["api://myapi"],
    "exactMatchClaimMap": {},
    "requiredClaimList": ["sub", "exp", "iat"],
    "prohibitedClaimList": [],
    "validateExpirationTime": true,
    "validateSign": true,
    "validateByIssuer": true,
    "validateACLforIssuer": true,
    "jwkIdForValidationAndSign": null,
    "decrypt": false,
    "decryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "stripAndDecode": "NONE",
    "jwtClaimsToDecode": null,
    "decodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Full JSON Body Example - With Proxy JWK

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-validation",
    "description": "Validate JOSE tokens using proxy JWK",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "clientSourcePart": "CLAIMS",
    "clientSourceVariable": null,
    "clientFieldname": "iss",
    "acceptedAudienceList": ["api://myapi"],
    "exactMatchClaimMap": {},
    "requiredClaimList": ["sub", "exp"],
    "prohibitedClaimList": [],
    "validateExpirationTime": true,
    "validateSign": true,
    "validateByIssuer": false,
    "validateACLforIssuer": false,
    "jwkIdForValidationAndSign": "my-jwk-id",
    "decrypt": true,
    "decryptByIssuer": false,
    "jwkIdForDecryptionAndEncryption": "my-decrypt-jwk-id",
    "stripAndDecode": "ALL",
    "jwtClaimsToDecode": null,
    "decodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Full JSON Body Example - Partial Decode with Claims Extraction

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-validation",
    "description": "Validate and partially decode JOSE tokens",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "clientSourcePart": "CLAIMS",
    "clientSourceVariable": null,
    "clientFieldname": "iss",
    "acceptedAudienceList": ["api://myapi"],
    "exactMatchClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      },
      "permissions": {
        "value": "read,write",
        "valueType": "STRING_LIST"
      }
    },
    "requiredClaimList": ["sub", "exp", "iat"],
    "prohibitedClaimList": ["blacklisted"],
    "validateExpirationTime": true,
    "validateSign": true,
    "validateByIssuer": true,
    "validateACLforIssuer": true,
    "jwkIdForValidationAndSign": null,
    "decrypt": true,
    "decryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "stripAndDecode": "PARTIAL",
    "jwtClaimsToDecode": "sub,role,permissions",
    "decodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Full JSON Body Example - Variable Target

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-validation",
    "description": "Validate JOSE tokens from variable",
    "active": true,
    "joseTarget": "CHOOSE_FROM_VARIABLE",
    "joseTargetVariable": {
      "type": "HEADER",
      "headerName": "X-JWT-Token"
    },
    "clientSourcePart": "VARIABLE",
    "clientSourceVariable": {
      "type": "HEADER",
      "headerName": "X-Client-ID"
    },
    "clientFieldname": "iss",
    "acceptedAudienceList": ["api://myapi"],
    "exactMatchClaimMap": {},
    "requiredClaimList": ["sub", "exp"],
    "prohibitedClaimList": [],
    "validateExpirationTime": true,
    "validateSign": true,
    "validateByIssuer": true,
    "validateACLforIssuer": true,
    "jwkIdForValidationAndSign": null,
    "decrypt": true,
    "decryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "stripAndDecode": "NONE",
    "jwtClaimsToDecode": null,
    "decodedClaimsTargetForDataManipulation": "CHOOSE_FROM_VARIABLE",
    "decodedClaimsTargetVariableForDataManipulation": {
      "type": "HEADER",
      "headerName": "X-Decoded-Claims"
    }
  }
}

Request Body Fields

operationMetadata

Field	Type	Required	Default	Description
targetScope	string	Yes	-	Policy scope: ALL or ENDPOINT
targetEndpoint	string	No*	-	Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod	string	No*	-	HTTP method (required if targetScope=ENDPOINT)
targetPipeline	string	Yes	-	Pipeline: REQUEST, RESPONSE, or ERROR
deploy	boolean	No	true	Whether to deploy after adding policy
deployTargetEnvironmentNameList	array	No	[]	List of environment names to deploy to
order	integer	No	null	Policy execution order (starts from 1)

Enum: targetScope

• ALL - Policy applies to all endpoints
• ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

• REQUEST - Executes in request pipeline (validates incoming tokens)
• RESPONSE - Executes in response pipeline (validates outgoing tokens)
• ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

• GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD

policy

Field	Type	Required	Default	Description
type	string	Yes	-	Policy type: policy-jose-validation
description	string	No	-	Policy description
active	boolean	No	true	Whether policy is active
joseTarget	string	Yes	BODY	JOSE target location. See EnumJoseTarget
joseTargetVariable	object	No*	null	Variable for JOSE target (required if joseTarget=CHOOSE_FROM_VARIABLE). See VariableDTO
clientSourcePart	string	Yes	CLAIMS	Client source part. See EnumJoseUserSourcePart
clientSourceVariable	object	No*	null	Variable for client source (required if clientSourcePart=VARIABLE). See VariableDTO
clientFieldname	string	No	iss	Client field name for extraction (e.g., “iss” for issuer)
acceptedAudienceList	array	No	[]	List of accepted audience values
exactMatchClaimMap	object	No	{}	Map of exact match claims. See MapValue
requiredClaimList	array	No	[]	List of required claim names
prohibitedClaimList	array	No	[]	List of prohibited claim names
validateExpirationTime	boolean	No	true	Whether to validate expiration time
validateSign	boolean	No	true	Whether to validate JOSE signature
validateByIssuer	boolean	No	true	Validate by issuer (true) or by proxy’s JWK (false)
validateACLforIssuer	boolean	No	true	Whether to validate ACL for issuer
jwkIdForValidationAndSign	string	No*	null	JWK ID for validation and signing (required if validateSign=true and validateByIssuer=false)
decrypt	boolean	No	true	Whether to decrypt JOSE
decryptByIssuer	boolean	No	true	Decrypt by issuer (true) or by proxy’s JWK (false)
jwkIdForDecryptionAndEncryption	string	No*	null	JWK ID for decryption and encryption (required if decrypt=true and decryptByIssuer=false)
stripAndDecode	string	Yes	NONE	Strip and decode mode. See EnumJoseStripAndDecode
jwtClaimsToDecode	string	No*	null	JWT claims to decode (required if stripAndDecode=PARTIAL). Comma-separated claim names
decodedClaimsTargetForDataManipulation	string	No	BODY	Target for decoded claims data manipulation. See EnumJoseTarget
decodedClaimsTargetVariableForDataManipulation	object	No*	null	Variable for decoded claims target (required if decodedClaimsTargetForDataManipulation=CHOOSE_FROM_VARIABLE). See VariableDTO

EnumJoseTarget

• BODY - JOSE token is in request/response body
• AUTHORIZATION_HEADER - JOSE token is in Authorization header
• CHOOSE_FROM_VARIABLE - JOSE token location is specified by variable (requires joseTargetVariable)

EnumJoseUserSourcePart

• HEADER - Extract client information from JOSE header
• CLAIMS - Extract client information from JOSE claims (default)
• VARIABLE - Extract client information from variable (requires clientSourceVariable)

EnumJoseStripAndDecode

• NONE - Do not strip or decode (default)
• ALL - Strip and decode all claims
• PARTIAL - Strip and decode only specified claims (requires jwtClaimsToDecode)

EnumJoseTarget

• BODY - Place decoded claims in request/response body
• AUTHORIZATION_HEADER - Place decoded claims in Authorization header
• CHOOSE_FROM_VARIABLE - Place decoded claims in variable (requires decodedClaimsTargetVariableForDataManipulation)

Note

• If joseTarget: CHOOSE_FROM_VARIABLE, joseTargetVariable is required.
• If clientSourcePart: VARIABLE, clientSourceVariable is required.
• If validateSign: true and validateByIssuer: false, jwkIdForValidationAndSign is required.
• If decrypt: true and decryptByIssuer: false, jwkIdForDecryptionAndEncryption is required.
• If stripAndDecode: PARTIAL, jwtClaimsToDecode is required.
• If decodedClaimsTargetForDataManipulation: CHOOSE_FROM_VARIABLE, decodedClaimsTargetVariableForDataManipulation is required.

VariableDTO

Field	Type	Required	Default	Description
id	string	No	-	Variable ID (if referencing existing variable)
projectId	string	No	-	Project ID (if referencing existing variable)
name	string	No*	-	Variable name (required if id not provided)
description	string	No	-	Variable description
type	string	Yes	-	Variable type: HEADER, PARAMETER, BODY, CONTEXT_VALUES, CUSTOM
headerName	string	No*	-	Header name (required if type=HEADER)
paramType	string	No*	-	Parameter type: QUERY, PATH, FORM (required if type=PARAMETER)
paramName	string	No*	-	Parameter name (required if type=PARAMETER)
paramPath	string	No	-	Parameter path
formName	string	No	-	Form name (for form parameters)
xpathValue	string	No*	-	XPath value (required if type=BODY and content is XML)
jsonPathValue	string	No*	-	JSONPath value (required if type=BODY and content is JSON)
bodyJsonPath	string	No*	-	JSONPath value (alternative to jsonPathValue)
messageContentType	string	No*	-	Message content type: JSON, XML, FORM (required if type=BODY)
contextValue	string	No*	-	Context value (required if type=CONTEXT_VALUES)
zoneId	string	No	-	Zone ID (for date context values)
initWithScript	boolean	No	false	Initialize with script
scriptLanguage	string	No	-	Script language: GROOVY, JAVASCRIPT (required if initWithScript=true)
scriptBody	string	No	-	Script body (required if initWithScript=true)

EnumVariableType

• HEADER - HTTP header
• PARAMETER - Query/path/form parameter
• BODY - Request/response body
• CONTEXT_VALUES - Context values (e.g., current time, IP address)
• CUSTOM - Custom variable (script-based)

EnumVariableParameterType

• QUERY - Query parameter
• PATH - Path parameter
• FORM - Form parameter

EnumMessageContentType

• JSON - JSON content
• XML - XML content
• FORM - Form content

EnumVariableContextValue

• CURRENT_TIME - Current timestamp
• CURRENT_DATE - Current date
• CLIENT_IP - Client IP address
• CLIENT_PORT - Client port
• SERVER_IP - Server IP address
• SERVER_PORT - Server port
• REQUEST_METHOD - HTTP request method
• REQUEST_URI - Request URI
• REQUEST_PATH - Request path
• REQUEST_QUERY_STRING - Query string
• REQUEST_PROTOCOL - Request protocol
• REQUEST_HOST - Request host
• REQUEST_SCHEME - Request scheme
• RESPONSE_STATUS_CODE - Response status code
• RESPONSE_STATUS_TEXT - Response status text
• API_PROXY_NAME - API Proxy name
• API_PROXY_ID - API Proxy ID
• ENDPOINT_NAME - Endpoint name
• ENDPOINT_ID - Endpoint ID
• ENVIRONMENT_NAME - Environment name
• ENVIRONMENT_ID - Environment ID
• PROJECT_NAME - Project name
• PROJECT_ID - Project ID
• USER_NAME - User name
• USER_ID - User ID
• ORGANIZATION_NAME - Organization name
• ORGANIZATION_ID - Organization ID
• ZONE_ID - Zone ID
• TIMEZONE_ID - Timezone ID

EnumScriptType

• GROOVY - Groovy script
• JAVASCRIPT - JavaScript script

MapValue

Field	Type	Required	Default	Description
value	string	Yes	-	Claim value
valueType	string	No	STRING	Value type. See MapValueType

MapValueType

• STRING - String value
• BOOLEAN - Boolean value
• INTEGER - Integer value
• LONG - Long value
• DOUBLE - Double value
• FLOAT - Float value
• STRING_LIST - String list (comma-separated)
• URI - URI value

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/jose-validation-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-jose-validation",
      "description": "Validate JOSE tokens from request body",
      "active": true,
      "joseTarget": "BODY",
      "clientSourcePart": "CLAIMS",
      "clientFieldname": "iss",
      "acceptedAudienceList": ["api://myapi"],
      "exactMatchClaimMap": {
        "role": {
          "value": "admin",
          "valueType": "STRING"
        }
      },
      "requiredClaimList": ["sub", "exp"],
      "validateExpirationTime": true,
      "validateSign": true,
      "validateByIssuer": true,
      "decrypt": true,
      "decryptByIssuer": true,
      "stripAndDecode": "NONE"
    }
  }'

---

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-validation",
    "description": "Updated: Enhanced JOSE token validation with additional claims",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "clientSourcePart": "CLAIMS",
    "clientSourceVariable": null,
    "clientFieldname": "iss",
    "acceptedAudienceList": ["api://myapi", "api://partners"],
    "exactMatchClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      },
      "department": {
        "value": "engineering",
        "valueType": "STRING"
      }
    },
    "requiredClaimList": ["sub", "exp", "iat", "jti"],
    "prohibitedClaimList": ["debug_mode"],
    "validateExpirationTime": true,
    "validateSign": true,
    "validateByIssuer": true,
    "validateACLforIssuer": true,
    "jwkIdForValidationAndSign": null,
    "decrypt": true,
    "decryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "stripAndDecode": "NONE",
    "jwtClaimsToDecode": null,
    "decodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

---

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer {token}
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

---

Notes and Warnings

• JOSE Target:
  • BODY - Token is in request/response body (for POST/PUT requests)
  • AUTHORIZATION_HEADER - Token is in Authorization header (standard Bearer token)
  • CHOOSE_FROM_VARIABLE - Token location is dynamic (specified by variable)
• Client Source Part:
  • CLAIMS - Extract client info from JWT claims (e.g., “iss” claim)
  • HEADER - Extract client info from JOSE header
  • VARIABLE - Extract client info from a variable
• Validation:
  • Signature validation ensures token integrity and authenticity
  • Expiration validation ensures token is not expired
  • ACL validation ensures issuer is authorized
• Decryption:
  • JWE tokens must be decrypted before validation
  • Decryption key can come from issuer credentials or proxy JWK
• Strip and Decode:
  • NONE - Keep token as-is (default)
  • ALL - Decode all claims and place in target
  • PARTIAL - Decode only specified claims
• Claims Validation:
  • acceptedAudienceList - Validates “aud” claim
  • exactMatchClaimMap - Validates exact claim values
  • requiredClaimList - Ensures required claims are present
  • prohibitedClaimList - Ensures prohibited claims are absent
• JWK Management:
  • When validateByIssuer: true, uses issuer’s JWK from credentials
  • When validateByIssuer: false, uses proxy’s JWK (requires jwkIdForValidationAndSign)
  • Same logic applies for decryption (decryptByIssuer)
• Performance: JOSE validation adds cryptographic processing overhead. Use for necessary security only.
• Pipeline:
  • REQUEST pipeline validates incoming tokens
  • RESPONSE pipeline validates outgoing tokens
• Error Handling: Invalid token, expired token, or validation failure causes policy to fail
• Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.

Related Documentation

• List Policies - List all policies
• Add Policy - General policy addition guide
• Update Policy - General policy update guide
• Delete Policy - General policy deletion guide
• JOSE Implementation Policy - Generate JOSE tokens