Ana içeriğe atla

General Information

Policy Type

policy-jose-implementation

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

HeaderValue
AuthorizationBearer {token}

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [],
        "responsePolicyList": [
          {
            "type": "policy-jose-implementation",
            "name": "jose-implementation-policy",
            "description": "Generate JOSE tokens",
            "active": true,
            "joseTarget": "BODY",
            "joseTargetVariable": null,
            "jwtClaimsClaim": null,
            "escapeJsonString": false,
            "addIssueTime": true,
            "addJWTID": true,
            "addIssuer": true,
            "issuer": "https://myapi.com",
            "addAudience": true,
            "audienceList": ["api://myapi"],
            "addSubject": true,
            "subject": "user123",
            "addTypeToHeader": true,
            "typeValue": "JWT",
            "addExpirationTime": true,
            "expirationTimeValue": 3600,
            "expirationTimeUnit": "SECONDS",
            "additionalClaimMap": {
              "role": {
                "value": "admin",
                "valueType": "STRING"
              }
            },
            "sign": true,
            "signByIssuer": true,
            "jwkIdForValidationAndSign": null,
            "encrypt": true,
            "encryptByIssuer": true,
            "jwkIdForDecryptionAndEncryption": null,
            "encryptionMethod": "A128CBC_HS256",
            "encodedClaimsTargetForDataManipulation": "BODY",
            "decodedClaimsTargetVariableForDataManipulation": null
          }
        ],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example - Basic JWT Generation
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate signed JWT tokens",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 3600,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      },
      "permissions": {
        "value": "read,write",
        "valueType": "STRING_LIST"
      }
    },
    "sign": true,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": false,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": null,
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}
Full JSON Body Example - Signed and Encrypted JWE
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate signed and encrypted JWE tokens",
    "active": true,
    "joseTarget": "AUTHORIZATION_HEADER",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 3600,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      }
    },
    "sign": true,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": true,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": "A128CBC_HS256",
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}
Full JSON Body Example - Using Proxy JWK
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate JWT using proxy JWK",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 3600,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {},
    "sign": true,
    "signByIssuer": false,
    "jwkIdForValidationAndSign": "my-signing-jwk-id",
    "encrypt": true,
    "encryptByIssuer": false,
    "jwkIdForDecryptionAndEncryption": "my-encryption-jwk-id",
    "encryptionMethod": "A256GCM",
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}
Full JSON Body Example - Minimal Configuration
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate minimal JWT",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": false,
    "addJWTID": false,
    "addIssuer": false,
    "issuer": null,
    "addAudience": false,
    "audienceList": [],
    "addSubject": false,
    "subject": null,
    "addTypeToHeader": false,
    "typeValue": null,
    "addExpirationTime": false,
    "expirationTimeValue": null,
    "expirationTimeUnit": null,
    "additionalClaimMap": {
      "custom": {
        "value": "value",
        "valueType": "STRING"
      }
    },
    "sign": false,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": false,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": null,
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}
Full JSON Body Example - Variable Target
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Generate JWT to variable",
    "active": true,
    "joseTarget": "CHOOSE_FROM_VARIABLE",
    "joseTargetVariable": {
      "type": "HEADER",
      "headerName": "X-JWT-Token"
    },
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 3600,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {},
    "sign": true,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": false,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": null,
    "encodedClaimsTargetForDataManipulation": "CHOOSE_FROM_VARIABLE",
    "decodedClaimsTargetVariableForDataManipulation": {
      "type": "HEADER",
      "headerName": "X-Encoded-Claims"
    }
  }
}

Request Body Fields

operationMetadata
FieldTypeRequiredDefaultDescription
targetScopestringYes-Policy scope: ALL or ENDPOINT
targetEndpointstringNo*-Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethodstringNo*-HTTP method (required if targetScope=ENDPOINT)
targetPipelinestringYes-Pipeline: REQUEST, RESPONSE, or ERROR
deploybooleanNotrueWhether to deploy after adding policy
deployTargetEnvironmentNameListarrayNo[]List of environment names to deploy to
orderintegerNonullPolicy execution order (starts from 1)
Enum: targetScope
  • ALL - Policy applies to all endpoints
  • ENDPOINT - Policy applies only to specified endpoint
Enum: targetPipeline
  • REQUEST - Executes in request pipeline (generates tokens for requests)
  • RESPONSE - Executes in response pipeline (generates tokens for responses)
  • ERROR - Executes in error pipeline
Enum: targetEndpointHTTPMethod
  • GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
policy
FieldTypeRequiredDefaultDescription
typestringYes-Policy type: policy-jose-implementation
descriptionstringNo-Policy description
activebooleanNotrueWhether policy is active
joseTargetstringYesBODYJOSE target location. See EnumJoseImplementationSignedTarget
joseTargetVariableobjectNo*nullVariable for JOSE target (required if joseTarget=CHOOSE_FROM_VARIABLE). See VariableDTO
jwtClaimsClaimstringNonullJWT claims claim name (for nested claims)
escapeJsonStringbooleanNofalseWhether to escape JSON string values
addIssueTimebooleanNotrueWhether to add issue time (iat) to JWT
addJWTIDbooleanNotrueWhether to add JWT ID (jti) to JWT
addIssuerbooleanNotrueWhether to add issuer (iss) to JWT
issuerstringNo*nullIssuer value (required if addIssuer=true)
addAudiencebooleanNotrueWhether to add audience (aud) to JWT
audienceListarrayNo*[]Audience list (required if addAudience=true, at least one required)
addSubjectbooleanNotrueWhether to add subject (sub) to JWT
subjectstringNo*nullSubject value (required if addSubject=true)
addTypeToHeaderbooleanNotrueWhether to add type (typ) to header
typeValuestringNo*nullType value (required if addTypeToHeader=true)
addExpirationTimebooleanNotrueWhether to add expiration time (exp) to JWT
expirationTimeValueintegerNo*nullExpiration time value (required if addExpirationTime=true, must be > 0)
expirationTimeUnitstringNo*nullExpiration time unit (required if addExpirationTime=true). See EnumTimeUnit
additionalClaimMapobjectNoMap of additional claims. See MapValue
signbooleanNotrueWhether to sign JWT
signByIssuerbooleanNotrueSign by issuer (true) or by proxy’s JWK (false)
jwkIdForValidationAndSignstringNo*nullJWK ID for validation and signing (required if sign=true and signByIssuer=false)
encryptbooleanNotrueWhether to encrypt JWT
encryptByIssuerbooleanNotrueEncrypt by issuer (true) or by proxy’s JWK (false)
jwkIdForDecryptionAndEncryptionstringNo*nullJWK ID for decryption and encryption (required if encrypt=true and encryptByIssuer=false)
encryptionMethodstringNo*nullEncryption method (required if encrypt=true). See EnumJwkEncryptionMethod
encodedClaimsTargetForDataManipulationstringNoBODYTarget for encoded claims data manipulation. See EnumJoseTarget
decodedClaimsTargetVariableForDataManipulationobjectNo*nullVariable for encoded claims target (required if encodedClaimsTargetForDataManipulation=CHOOSE_FROM_VARIABLE). See VariableDTO

EnumJoseImplementationSignedTarget

  • BODY - Place JOSE token in request/response body
  • AUTHORIZATION_HEADER - Place JOSE token in Authorization header
  • CHOOSE_FROM_VARIABLE - Place JOSE token location specified by variable (requires joseTargetVariable)
  • EMPTY - Do not place token (for internal use only)

EnumTimeUnit

  • MILLI_SECONDS - Milliseconds
  • SECONDS - Seconds
  • MINUTES - Minutes
  • HOURS - Hours
  • DAYS - Days
  • WEEKS - Weeks
  • MONTHS - Months
  • YEARS - Years

EnumJwkEncryptionMethod

  • A128CBC_HS256 - AES-128-CBC with HMAC-SHA-256 (recommended)
  • A192CBC_HS384 - AES-192-CBC with HMAC-SHA-384
  • A256CBC_HS512 - AES-256-CBC with HMAC-SHA-512
  • A128CBC_HS256_DEPRECATED - AES-128-CBC with HMAC-SHA-256 (deprecated)
  • A256CBC_HS512_DEPRECATED - AES-256-CBC with HMAC-SHA-512 (deprecated)
  • A128GCM - AES-128-GCM
  • A192GCM - AES-192-GCM
  • A256GCM - AES-256-GCM (recommended for GCM)
  • XC20P - XChaCha20-Poly1305

EnumJoseTarget

  • BODY - Place encoded claims in request/response body
  • AUTHORIZATION_HEADER - Place encoded claims in Authorization header
  • CHOOSE_FROM_VARIABLE - Place encoded claims in variable (requires decodedClaimsTargetVariableForDataManipulation)

Note

  • If joseTarget: CHOOSE_FROM_VARIABLE, joseTargetVariable is required.
  • If addIssuer: true, issuer is required.
  • If addAudience: true, audienceList is required and must contain at least one value.
  • If addSubject: true, subject is required.
  • If addTypeToHeader: true, typeValue is required.
  • If addExpirationTime: true, both expirationTimeValue (must be > 0) and expirationTimeUnit are required.
  • If sign: true and signByIssuer: false, jwkIdForValidationAndSign is required.
  • If encrypt: true, encryptionMethod is required.
  • If encrypt: true and encryptByIssuer: false, jwkIdForDecryptionAndEncryption is required.
  • If encodedClaimsTargetForDataManipulation: CHOOSE_FROM_VARIABLE, decodedClaimsTargetVariableForDataManipulation is required.

VariableDTO

FieldTypeRequiredDefaultDescription
idstringNo-Variable ID (if referencing existing variable)
projectIdstringNo-Project ID (if referencing existing variable)
namestringNo*-Variable name (required if id not provided)
descriptionstringNo-Variable description
typestringYes-Variable type: HEADER, PARAMETER, BODY, CONTEXT_VALUES, CUSTOM
headerNamestringNo*-Header name (required if type=HEADER)
paramTypestringNo*-Parameter type: QUERY, PATH, FORM (required if type=PARAMETER)
paramNamestringNo*-Parameter name (required if type=PARAMETER)
paramPathstringNo-Parameter path
formNamestringNo-Form name (for form parameters)
xpathValuestringNo*-XPath value (required if type=BODY and content is XML)
jsonPathValuestringNo*-JSONPath value (required if type=BODY and content is JSON)
bodyJsonPathstringNo*-JSONPath value (alternative to jsonPathValue)
messageContentTypestringNo*-Message content type: JSON, XML, FORM (required if type=BODY)
contextValuestringNo*-Context value (required if type=CONTEXT_VALUES)
zoneIdstringNo-Zone ID (for date context values)
initWithScriptbooleanNofalseInitialize with script
scriptLanguagestringNo-Script language: GROOVY, JAVASCRIPT (required if initWithScript=true)
scriptBodystringNo-Script body (required if initWithScript=true)

EnumVariableType

  • HEADER - HTTP header
  • PARAMETER - Query/path/form parameter
  • BODY - Request/response body
  • CONTEXT_VALUES - Context values (e.g., current time, IP address)
  • CUSTOM - Custom variable (script-based)

EnumVariableParameterType

  • QUERY - Query parameter
  • PATH - Path parameter
  • FORM - Form parameter

EnumMessageContentType

  • JSON - JSON content
  • XML - XML content
  • FORM - Form content

EnumVariableContextValue

  • CURRENT_TIME - Current timestamp
  • CURRENT_DATE - Current date
  • CLIENT_IP - Client IP address
  • CLIENT_PORT - Client port
  • SERVER_IP - Server IP address
  • SERVER_PORT - Server port
  • REQUEST_METHOD - HTTP request method
  • REQUEST_URI - Request URI
  • REQUEST_PATH - Request path
  • REQUEST_QUERY_STRING - Query string
  • REQUEST_PROTOCOL - Request protocol
  • REQUEST_HOST - Request host
  • REQUEST_SCHEME - Request scheme
  • RESPONSE_STATUS_CODE - Response status code
  • RESPONSE_STATUS_TEXT - Response status text
  • API_PROXY_NAME - API Proxy name
  • API_PROXY_ID - API Proxy ID
  • ENDPOINT_NAME - Endpoint name
  • ENDPOINT_ID - Endpoint ID
  • ENVIRONMENT_NAME - Environment name
  • ENVIRONMENT_ID - Environment ID
  • PROJECT_NAME - Project name
  • PROJECT_ID - Project ID
  • USER_NAME - User name
  • USER_ID - User ID
  • ORGANIZATION_NAME - Organization name
  • ORGANIZATION_ID - Organization ID
  • ZONE_ID - Zone ID
  • TIMEZONE_ID - Timezone ID

EnumScriptType

  • GROOVY - Groovy script
  • JAVASCRIPT - JavaScript script

MapValue

FieldTypeRequiredDefaultDescription
valuestringYes-Claim value
valueTypestringNoSTRINGValue type. See MapValueType

MapValueType

  • STRING - String value
  • BOOLEAN - Boolean value
  • INTEGER - Integer value
  • LONG - Long value
  • DOUBLE - Double value
  • FLOAT - Float value
  • STRING_LIST - String list (comma-separated)
  • URI - URI value

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/jose-implementation-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "RESPONSE",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-jose-implementation",
      "description": "Generate signed JWT tokens",
      "active": true,
      "joseTarget": "BODY",
      "addIssueTime": true,
      "addJWTID": true,
      "addIssuer": true,
      "issuer": "https://myapi.com",
      "addAudience": true,
      "audienceList": ["api://myapi"],
      "addSubject": true,
      "subject": "user123",
      "addTypeToHeader": true,
      "typeValue": "JWT",
      "addExpirationTime": true,
      "expirationTimeValue": 3600,
      "expirationTimeUnit": "SECONDS",
      "sign": true,
      "signByIssuer": true,
      "encrypt": false
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-jose-implementation",
    "description": "Updated: Generate signed JWT tokens with encryption",
    "active": true,
    "joseTarget": "BODY",
    "joseTargetVariable": null,
    "jwtClaimsClaim": null,
    "escapeJsonString": false,
    "addIssueTime": true,
    "addJWTID": true,
    "addIssuer": true,
    "issuer": "https://myapi.com",
    "addAudience": true,
    "audienceList": ["api://myapi", "api://partners"],
    "addSubject": true,
    "subject": "user123",
    "addTypeToHeader": true,
    "typeValue": "JWT",
    "addExpirationTime": true,
    "expirationTimeValue": 7200,
    "expirationTimeUnit": "SECONDS",
    "additionalClaimMap": {
      "role": {
        "value": "admin",
        "valueType": "STRING"
      },
      "permissions": {
        "value": "read,write,delete",
        "valueType": "STRING_LIST"
      },
      "department": {
        "value": "engineering",
        "valueType": "STRING"
      }
    },
    "sign": true,
    "signByIssuer": true,
    "jwkIdForValidationAndSign": null,
    "encrypt": true,
    "encryptByIssuer": true,
    "jwkIdForDecryptionAndEncryption": null,
    "encryptionMethod": "A256GCM",
    "encodedClaimsTargetForDataManipulation": "BODY",
    "decodedClaimsTargetVariableForDataManipulation": null
  }
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

Notes and Warnings

  • JOSE Target:
    • BODY - Token is placed in request/response body
    • AUTHORIZATION_HEADER - Token is placed in Authorization header (standard Bearer token)
    • CHOOSE_FROM_VARIABLE - Token location is dynamic (specified by variable)
    • EMPTY - Token is not placed (for internal use only)
  • Standard Claims:
    • iat (Issue Time) - Added when addIssueTime: true
    • jti (JWT ID) - Added when addJWTID: true
    • iss (Issuer) - Added when addIssuer: true (requires issuer)
    • aud (Audience) - Added when addAudience: true (requires audienceList)
    • sub (Subject) - Added when addSubject: true (requires subject)
    • exp (Expiration Time) - Added when addExpirationTime: true (requires expirationTimeValue and expirationTimeUnit)
    • typ - Added to header when addTypeToHeader: true (requires typeValue)
  • Signing:
    • JWT can be signed for integrity and authenticity
    • Signing key can come from issuer credentials or proxy JWK
    • When signByIssuer: false, jwkIdForValidationAndSign is required
  • Encryption:
    • JWT can be encrypted to create JWE (JSON Web Encryption)
    • Encryption method must be specified when encrypt: true
    • Encryption key can come from issuer credentials or proxy JWK
    • When encryptByIssuer: false, jwkIdForDecryptionAndEncryption is required
  • Encryption Methods:
    • A128CBC_HS256, A192CBC_HS384, A256CBC_HS512 - AES-CBC with HMAC (recommended)
    • A128GCM, A192GCM, A256GCM - AES-GCM (recommended for GCM)
    • XC20P - XChaCha20-Poly1305 (modern, secure)
    • Deprecated methods should be avoided
  • Additional Claims:
    • Custom claims can be added via additionalClaimMap
    • Claims support various value types (STRING, BOOLEAN, INTEGER, LONG, DOUBLE, FLOAT, STRING_LIST, URI)
  • Escape JSON String:
    • When escapeJsonString: true, JSON string values are escaped
    • Useful for nested JSON structures
  • Performance: JOSE token generation adds cryptographic processing overhead. Use for necessary security only.
  • Pipeline:
    • REQUEST pipeline generates tokens for outgoing requests
    • RESPONSE pipeline generates tokens for outgoing responses
  • Error Handling: Invalid configuration or JWK failure causes policy to fail
  • Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.