Documentation Index
Fetch the complete documentation index at: https://docs.apinizer.com/llms.txt
Use this file to discover all available pages before exploring further.
Policy Type
policy-jose-implementation
Endpoints
List Policies
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Add Policy
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Update Policy
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Delete Policy
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
List Policies
Endpoint
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Request
| Header | Value |
|---|
| Authorization | Bearer {token} |
Path Parameters
| Parameter | Type | Required | Description |
|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Response
Success Response (200 OK)
{
"success": true,
"resultList": [
{
"apiProxy": {
"name": "MyAPI",
"requestPolicyList": [],
"responsePolicyList": [
{
"type": "policy-jose-implementation",
"name": "jose-implementation-policy",
"description": "Generate JOSE tokens",
"active": true,
"joseTarget": "BODY",
"joseTargetVariable": null,
"jwtClaimsClaim": null,
"escapeJsonString": false,
"addIssueTime": true,
"addJWTID": true,
"addIssuer": true,
"issuer": "https://myapi.com",
"addAudience": true,
"audienceList": ["api://myapi"],
"addSubject": true,
"subject": "user123",
"addTypeToHeader": true,
"typeValue": "JWT",
"addExpirationTime": true,
"expirationTimeValue": 3600,
"expirationTimeUnit": "SECONDS",
"additionalClaimMap": {
"role": {
"value": "admin",
"valueType": "STRING"
}
},
"sign": true,
"signByIssuer": true,
"jwkIdForValidationAndSign": null,
"encrypt": true,
"encryptByIssuer": true,
"jwkIdForDecryptionAndEncryption": null,
"encryptionMethod": "A128CBC_HS256",
"encodedClaimsTargetForDataManipulation": "BODY",
"decodedClaimsTargetVariableForDataManipulation": null
}
],
"errorPolicyList": []
}
}
],
"resultCount": 1
}
cURL Example
curl -X GET \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
-H "Authorization: Bearer YOUR_TOKEN"
Add Policy
Endpoint
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
| Header | Value |
|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example - Basic JWT Generation
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-jose-implementation",
"description": "Generate signed JWT tokens",
"active": true,
"joseTarget": "BODY",
"joseTargetVariable": null,
"jwtClaimsClaim": null,
"escapeJsonString": false,
"addIssueTime": true,
"addJWTID": true,
"addIssuer": true,
"issuer": "https://myapi.com",
"addAudience": true,
"audienceList": ["api://myapi"],
"addSubject": true,
"subject": "user123",
"addTypeToHeader": true,
"typeValue": "JWT",
"addExpirationTime": true,
"expirationTimeValue": 3600,
"expirationTimeUnit": "SECONDS",
"additionalClaimMap": {
"role": {
"value": "admin",
"valueType": "STRING"
},
"permissions": {
"value": "read,write",
"valueType": "STRING_LIST"
}
},
"sign": true,
"signByIssuer": true,
"jwkIdForValidationAndSign": null,
"encrypt": false,
"encryptByIssuer": true,
"jwkIdForDecryptionAndEncryption": null,
"encryptionMethod": null,
"encodedClaimsTargetForDataManipulation": "BODY",
"decodedClaimsTargetVariableForDataManipulation": null
}
}
Full JSON Body Example - Signed and Encrypted JWE
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-jose-implementation",
"description": "Generate signed and encrypted JWE tokens",
"active": true,
"joseTarget": "AUTHORIZATION_HEADER",
"joseTargetVariable": null,
"jwtClaimsClaim": null,
"escapeJsonString": false,
"addIssueTime": true,
"addJWTID": true,
"addIssuer": true,
"issuer": "https://myapi.com",
"addAudience": true,
"audienceList": ["api://myapi"],
"addSubject": true,
"subject": "user123",
"addTypeToHeader": true,
"typeValue": "JWT",
"addExpirationTime": true,
"expirationTimeValue": 3600,
"expirationTimeUnit": "SECONDS",
"additionalClaimMap": {
"role": {
"value": "admin",
"valueType": "STRING"
}
},
"sign": true,
"signByIssuer": true,
"jwkIdForValidationAndSign": null,
"encrypt": true,
"encryptByIssuer": true,
"jwkIdForDecryptionAndEncryption": null,
"encryptionMethod": "A128CBC_HS256",
"encodedClaimsTargetForDataManipulation": "BODY",
"decodedClaimsTargetVariableForDataManipulation": null
}
}
Full JSON Body Example - Using Proxy JWK
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-jose-implementation",
"description": "Generate JWT using proxy JWK",
"active": true,
"joseTarget": "BODY",
"joseTargetVariable": null,
"jwtClaimsClaim": null,
"escapeJsonString": false,
"addIssueTime": true,
"addJWTID": true,
"addIssuer": true,
"issuer": "https://myapi.com",
"addAudience": true,
"audienceList": ["api://myapi"],
"addSubject": true,
"subject": "user123",
"addTypeToHeader": true,
"typeValue": "JWT",
"addExpirationTime": true,
"expirationTimeValue": 3600,
"expirationTimeUnit": "SECONDS",
"additionalClaimMap": {},
"sign": true,
"signByIssuer": false,
"jwkIdForValidationAndSign": "my-signing-jwk-id",
"encrypt": true,
"encryptByIssuer": false,
"jwkIdForDecryptionAndEncryption": "my-encryption-jwk-id",
"encryptionMethod": "A256GCM",
"encodedClaimsTargetForDataManipulation": "BODY",
"decodedClaimsTargetVariableForDataManipulation": null
}
}
Full JSON Body Example - Minimal Configuration
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-jose-implementation",
"description": "Generate minimal JWT",
"active": true,
"joseTarget": "BODY",
"joseTargetVariable": null,
"jwtClaimsClaim": null,
"escapeJsonString": false,
"addIssueTime": false,
"addJWTID": false,
"addIssuer": false,
"issuer": null,
"addAudience": false,
"audienceList": [],
"addSubject": false,
"subject": null,
"addTypeToHeader": false,
"typeValue": null,
"addExpirationTime": false,
"expirationTimeValue": null,
"expirationTimeUnit": null,
"additionalClaimMap": {
"custom": {
"value": "value",
"valueType": "STRING"
}
},
"sign": false,
"signByIssuer": true,
"jwkIdForValidationAndSign": null,
"encrypt": false,
"encryptByIssuer": true,
"jwkIdForDecryptionAndEncryption": null,
"encryptionMethod": null,
"encodedClaimsTargetForDataManipulation": "BODY",
"decodedClaimsTargetVariableForDataManipulation": null
}
}
Full JSON Body Example - Variable Target
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-jose-implementation",
"description": "Generate JWT to variable",
"active": true,
"joseTarget": "CHOOSE_FROM_VARIABLE",
"joseTargetVariable": {
"type": "HEADER",
"headerName": "X-JWT-Token"
},
"jwtClaimsClaim": null,
"escapeJsonString": false,
"addIssueTime": true,
"addJWTID": true,
"addIssuer": true,
"issuer": "https://myapi.com",
"addAudience": true,
"audienceList": ["api://myapi"],
"addSubject": true,
"subject": "user123",
"addTypeToHeader": true,
"typeValue": "JWT",
"addExpirationTime": true,
"expirationTimeValue": 3600,
"expirationTimeUnit": "SECONDS",
"additionalClaimMap": {},
"sign": true,
"signByIssuer": true,
"jwkIdForValidationAndSign": null,
"encrypt": false,
"encryptByIssuer": true,
"jwkIdForDecryptionAndEncryption": null,
"encryptionMethod": null,
"encodedClaimsTargetForDataManipulation": "CHOOSE_FROM_VARIABLE",
"decodedClaimsTargetVariableForDataManipulation": {
"type": "HEADER",
"headerName": "X-Encoded-Claims"
}
}
}
Request Body Fields
operationMetadata
| Field | Type | Required | Default | Description |
|---|
| targetScope | string | Yes | - | Policy scope: ALL or ENDPOINT |
| targetEndpoint | string | No* | - | Endpoint path (required if targetScope=ENDPOINT) |
| targetEndpointHTTPMethod | string | No* | - | HTTP method (required if targetScope=ENDPOINT) |
| targetPipeline | string | Yes | - | Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy | boolean | No | true | Whether to deploy after adding policy |
| deployTargetEnvironmentNameList | array | No | [] | List of environment names to deploy to |
| order | integer | No | null | Policy execution order (starts from 1) |
ALL - Policy applies to all endpointsENDPOINT - Policy applies only to specified endpoint
Enum: targetPipeline
REQUEST - Executes in request pipeline (generates tokens for requests)RESPONSE - Executes in response pipeline (generates tokens for responses)ERROR - Executes in error pipeline
Enum: targetEndpointHTTPMethod
GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
policy
| Field | Type | Required | Default | Description |
|---|
| type | string | Yes | - | Policy type: policy-jose-implementation |
| description | string | No | - | Policy description |
| active | boolean | No | true | Whether policy is active |
| joseTarget | string | Yes | BODY | JOSE target location. See EnumJoseImplementationSignedTarget |
| joseTargetVariable | object | No* | null | Variable for JOSE target (required if joseTarget=CHOOSE_FROM_VARIABLE). See VariableDTO |
| jwtClaimsClaim | string | No | null | JWT claims claim name (for nested claims) |
| escapeJsonString | boolean | No | false | Whether to escape JSON string values |
| addIssueTime | boolean | No | true | Whether to add issue time (iat) to JWT |
| addJWTID | boolean | No | true | Whether to add JWT ID (jti) to JWT |
| addIssuer | boolean | No | true | Whether to add issuer (iss) to JWT |
| issuer | string | No* | null | Issuer value (required if addIssuer=true) |
| addAudience | boolean | No | true | Whether to add audience (aud) to JWT |
| audienceList | array | No* | [] | Audience list (required if addAudience=true, at least one required) |
| addSubject | boolean | No | true | Whether to add subject (sub) to JWT |
| subject | string | No* | null | Subject value (required if addSubject=true) |
| addTypeToHeader | boolean | No | true | Whether to add type (typ) to header |
| typeValue | string | No* | null | Type value (required if addTypeToHeader=true) |
| addExpirationTime | boolean | No | true | Whether to add expiration time (exp) to JWT |
| expirationTimeValue | integer | No* | null | Expiration time value (required if addExpirationTime=true, must be > 0) |
| expirationTimeUnit | string | No* | null | Expiration time unit (required if addExpirationTime=true). See EnumTimeUnit |
| additionalClaimMap | object | No | Map of additional claims. See MapValue | |
| sign | boolean | No | true | Whether to sign JWT |
| signByIssuer | boolean | No | true | Sign by issuer (true) or by proxy’s JWK (false) |
| jwkIdForValidationAndSign | string | No* | null | JWK ID for validation and signing (required if sign=true and signByIssuer=false) |
| encrypt | boolean | No | true | Whether to encrypt JWT |
| encryptByIssuer | boolean | No | true | Encrypt by issuer (true) or by proxy’s JWK (false) |
| jwkIdForDecryptionAndEncryption | string | No* | null | JWK ID for decryption and encryption (required if encrypt=true and encryptByIssuer=false) |
| encryptionMethod | string | No* | null | Encryption method (required if encrypt=true). See EnumJwkEncryptionMethod |
| encodedClaimsTargetForDataManipulation | string | No | BODY | Target for encoded claims data manipulation. See EnumJoseTarget |
| decodedClaimsTargetVariableForDataManipulation | object | No* | null | Variable for encoded claims target (required if encodedClaimsTargetForDataManipulation=CHOOSE_FROM_VARIABLE). See VariableDTO |
EnumJoseImplementationSignedTarget
BODY - Place JOSE token in request/response bodyAUTHORIZATION_HEADER - Place JOSE token in Authorization headerCHOOSE_FROM_VARIABLE - Place JOSE token location specified by variable (requires joseTargetVariable)EMPTY - Do not place token (for internal use only)
EnumTimeUnit
MILLI_SECONDS - MillisecondsSECONDS - SecondsMINUTES - MinutesHOURS - HoursDAYS - DaysWEEKS - WeeksMONTHS - MonthsYEARS - Years
EnumJwkEncryptionMethod
A128CBC_HS256 - AES-128-CBC with HMAC-SHA-256 (recommended)A192CBC_HS384 - AES-192-CBC with HMAC-SHA-384A256CBC_HS512 - AES-256-CBC with HMAC-SHA-512A128CBC_HS256_DEPRECATED - AES-128-CBC with HMAC-SHA-256 (deprecated)A256CBC_HS512_DEPRECATED - AES-256-CBC with HMAC-SHA-512 (deprecated)A128GCM - AES-128-GCMA192GCM - AES-192-GCMA256GCM - AES-256-GCM (recommended for GCM)XC20P - XChaCha20-Poly1305
EnumJoseTarget
BODY - Place encoded claims in request/response bodyAUTHORIZATION_HEADER - Place encoded claims in Authorization headerCHOOSE_FROM_VARIABLE - Place encoded claims in variable (requires decodedClaimsTargetVariableForDataManipulation)
Note
- If
joseTarget: CHOOSE_FROM_VARIABLE, joseTargetVariable is required.
- If
addIssuer: true, issuer is required.
- If
addAudience: true, audienceList is required and must contain at least one value.
- If
addSubject: true, subject is required.
- If
addTypeToHeader: true, typeValue is required.
- If
addExpirationTime: true, both expirationTimeValue (must be > 0) and expirationTimeUnit are required.
- If
sign: true and signByIssuer: false, jwkIdForValidationAndSign is required.
- If
encrypt: true, encryptionMethod is required.
- If
encrypt: true and encryptByIssuer: false, jwkIdForDecryptionAndEncryption is required.
- If
encodedClaimsTargetForDataManipulation: CHOOSE_FROM_VARIABLE, decodedClaimsTargetVariableForDataManipulation is required.
VariableDTO
| Field | Type | Required | Default | Description |
|---|
| id | string | No | - | Variable ID (if referencing existing variable) |
| projectId | string | No | - | Project ID (if referencing existing variable) |
| name | string | No* | - | Variable name (required if id not provided) |
| description | string | No | - | Variable description |
| type | string | Yes | - | Variable type: HEADER, PARAMETER, BODY, CONTEXT_VALUES, CUSTOM |
| headerName | string | No* | - | Header name (required if type=HEADER) |
| paramType | string | No* | - | Parameter type: QUERY, PATH, FORM (required if type=PARAMETER) |
| paramName | string | No* | - | Parameter name (required if type=PARAMETER) |
| paramPath | string | No | - | Parameter path |
| formName | string | No | - | Form name (for form parameters) |
| xpathValue | string | No* | - | XPath value (required if type=BODY and content is XML) |
| jsonPathValue | string | No* | - | JSONPath value (required if type=BODY and content is JSON) |
| bodyJsonPath | string | No* | - | JSONPath value (alternative to jsonPathValue) |
| messageContentType | string | No* | - | Message content type: JSON, XML, FORM (required if type=BODY) |
| contextValue | string | No* | - | Context value (required if type=CONTEXT_VALUES) |
| zoneId | string | No | - | Zone ID (for date context values) |
| initWithScript | boolean | No | false | Initialize with script |
| scriptLanguage | string | No | - | Script language: GROOVY, JAVASCRIPT (required if initWithScript=true) |
| scriptBody | string | No | - | Script body (required if initWithScript=true) |
EnumVariableType
HEADER - HTTP headerPARAMETER - Query/path/form parameterBODY - Request/response bodyCONTEXT_VALUES - Context values (e.g., current time, IP address)CUSTOM - Custom variable (script-based)
EnumVariableParameterType
QUERY - Query parameterPATH - Path parameterFORM - Form parameter
EnumMessageContentType
JSON - JSON contentXML - XML contentFORM - Form content
EnumVariableContextValue
CURRENT_TIME - Current timestampCURRENT_DATE - Current dateCLIENT_IP - Client IP addressCLIENT_PORT - Client portSERVER_IP - Server IP addressSERVER_PORT - Server portREQUEST_METHOD - HTTP request methodREQUEST_URI - Request URIREQUEST_PATH - Request pathREQUEST_QUERY_STRING - Query stringREQUEST_PROTOCOL - Request protocolREQUEST_HOST - Request hostREQUEST_SCHEME - Request schemeRESPONSE_STATUS_CODE - Response status codeRESPONSE_STATUS_TEXT - Response status textAPI_PROXY_NAME - API Proxy nameAPI_PROXY_ID - API Proxy IDENDPOINT_NAME - Endpoint nameENDPOINT_ID - Endpoint IDENVIRONMENT_NAME - Environment nameENVIRONMENT_ID - Environment IDPROJECT_NAME - Project namePROJECT_ID - Project IDUSER_NAME - User nameUSER_ID - User IDORGANIZATION_NAME - Organization nameORGANIZATION_ID - Organization IDZONE_ID - Zone IDTIMEZONE_ID - Timezone ID
EnumScriptType
GROOVY - Groovy scriptJAVASCRIPT - JavaScript script
MapValue
| Field | Type | Required | Default | Description |
|---|
| value | string | Yes | - | Claim value |
| valueType | string | No | STRING | Value type. See MapValueType |
MapValueType
STRING - String valueBOOLEAN - Boolean valueINTEGER - Integer valueLONG - Long valueDOUBLE - Double valueFLOAT - Float valueSTRING_LIST - String list (comma-separated)URI - URI value
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
cURL Example
curl -X POST \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/jose-implementation-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-jose-implementation",
"description": "Generate signed JWT tokens",
"active": true,
"joseTarget": "BODY",
"addIssueTime": true,
"addJWTID": true,
"addIssuer": true,
"issuer": "https://myapi.com",
"addAudience": true,
"audienceList": ["api://myapi"],
"addSubject": true,
"subject": "user123",
"addTypeToHeader": true,
"typeValue": "JWT",
"addExpirationTime": true,
"expirationTimeValue": 3600,
"expirationTimeUnit": "SECONDS",
"sign": true,
"signByIssuer": true,
"encrypt": false
}
}'
Update Policy
Endpoint
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
| Header | Value |
|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": true,
"deployTargetEnvironmentNameList": ["tester"],
"order": 1
},
"policy": {
"type": "policy-jose-implementation",
"description": "Updated: Generate signed JWT tokens with encryption",
"active": true,
"joseTarget": "BODY",
"joseTargetVariable": null,
"jwtClaimsClaim": null,
"escapeJsonString": false,
"addIssueTime": true,
"addJWTID": true,
"addIssuer": true,
"issuer": "https://myapi.com",
"addAudience": true,
"audienceList": ["api://myapi", "api://partners"],
"addSubject": true,
"subject": "user123",
"addTypeToHeader": true,
"typeValue": "JWT",
"addExpirationTime": true,
"expirationTimeValue": 7200,
"expirationTimeUnit": "SECONDS",
"additionalClaimMap": {
"role": {
"value": "admin",
"valueType": "STRING"
},
"permissions": {
"value": "read,write,delete",
"valueType": "STRING_LIST"
},
"department": {
"value": "engineering",
"valueType": "STRING"
}
},
"sign": true,
"signByIssuer": true,
"jwkIdForValidationAndSign": null,
"encrypt": true,
"encryptByIssuer": true,
"jwkIdForDecryptionAndEncryption": null,
"encryptionMethod": "A256GCM",
"encodedClaimsTargetForDataManipulation": "BODY",
"decodedClaimsTargetVariableForDataManipulation": null
}
}
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
Delete Policy
Endpoint
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
| Header | Value |
|---|
| Authorization | Bearer {token} |
| Content-Type | application/json |
Path Parameters
| Parameter | Type | Required | Description |
|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
| policyName | string | Yes | Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "RESPONSE",
"deploy": false
}
}
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": []
}
}
Notes and Warnings
-
JOSE Target:
BODY - Token is placed in request/response bodyAUTHORIZATION_HEADER - Token is placed in Authorization header (standard Bearer token)CHOOSE_FROM_VARIABLE - Token location is dynamic (specified by variable)EMPTY - Token is not placed (for internal use only)
-
Standard Claims:
iat (Issue Time) - Added when addIssueTime: truejti (JWT ID) - Added when addJWTID: trueiss (Issuer) - Added when addIssuer: true (requires issuer)aud (Audience) - Added when addAudience: true (requires audienceList)sub (Subject) - Added when addSubject: true (requires subject)exp (Expiration Time) - Added when addExpirationTime: true (requires expirationTimeValue and expirationTimeUnit)typ - Added to header when addTypeToHeader: true (requires typeValue)
-
Signing:
- JWT can be signed for integrity and authenticity
- Signing key can come from issuer credentials or proxy JWK
- When
signByIssuer: false, jwkIdForValidationAndSign is required
-
Encryption:
- JWT can be encrypted to create JWE (JSON Web Encryption)
- Encryption method must be specified when
encrypt: true
- Encryption key can come from issuer credentials or proxy JWK
- When
encryptByIssuer: false, jwkIdForDecryptionAndEncryption is required
-
Encryption Methods:
A128CBC_HS256, A192CBC_HS384, A256CBC_HS512 - AES-CBC with HMAC (recommended)A128GCM, A192GCM, A256GCM - AES-GCM (recommended for GCM)XC20P - XChaCha20-Poly1305 (modern, secure)- Deprecated methods should be avoided
-
Additional Claims:
- Custom claims can be added via
additionalClaimMap
- Claims support various value types (STRING, BOOLEAN, INTEGER, LONG, DOUBLE, FLOAT, STRING_LIST, URI)
-
Escape JSON String:
- When
escapeJsonString: true, JSON string values are escaped
- Useful for nested JSON structures
-
Performance: JOSE token generation adds cryptographic processing overhead. Use for necessary security only.
-
Pipeline:
REQUEST pipeline generates tokens for outgoing requestsRESPONSE pipeline generates tokens for outgoing responses
-
Error Handling: Invalid configuration or JWK failure causes policy to fail
-
Deployment: Policy changes require deployment to take effect. Set
deploy: true or deploy manually.
