Creating a JSON web token

Creating a JSON web token

Most modern languages have JWT libraries available. We recommend you use one of
these libraries (or other JWT-compatible libraries) before trying to hand-craft the JWT token. Other JWT tools are publicly available, such as the JWT decoder, a handy web-based decoder for Atlassian Connect JWT tokens.

Language Library


atlassian-jwt and jsontoken








firebase php-jwt and luciferous jwt





Building a JWT

You must create the JWT that encapsulates your technical-account credentials. You will exchange this JWT for the API access token in the access request. Your JWT must contain the following claims:




Required. The expiration time, an absolute number of seconds since 1/1/1970 GMT. You must ensure that the expiration time is later than the time of issue. After this time, the JWT is no longer valid. An expiration period is typically one day.


Required. The issuer, your organization ID in the format org_ident@AdobeOrg.


Required. The subject, your API client account ID in the format:


Required. The audience for the token, in the format:

configured claims

Required. The API-access claim configured for your organization:


Optional. A unique identifier for the token, if configured for your organization. If required, you must use a decimal number greater than any valued used before, in order to prevent replay attacks. Otherwise, the request fails. To ensure an acceptable value, you can use the current Unix time (seconds since 1970).

The following Python script shows how to create a JWT for a sample enterprise using the pyjwtlibrary and the variables we have defined for the required components of the JWT.

Set the expiration time for the JWT to one day from the current time. This is a typical and recommended validity period.

Use the enterprise credentials and expiration value to create the JWT payload.

Get the private key we will use to sign the JWT.

Create the JWT, signing it with the private key.

For debugging purposes, we print the result. In practice, you should never print or retain JWTs that you create.

Sign and encode the JWT

The JWT must be signed and base-64 encoded for inclusion in the access request. The JWT
libraries provide functions to perform these tasks.

The token must be signed using the private key corresponding to a public-key certificate that is associated with your API key. You can associate more than one certificate with an API key. If you do so, you can use the private key of any associated certificate to sign your JWT.

Adobe supports RSASSA-PKCS1-V1_5 Digital Signatures with SHA-2. The JWS algorithm ("alg") parameter value can be RS256, RS384, or RS512.

Any questions?

Have a question about this or any other AEM topic? Ask our Community.
Learn more about AEM topics on our help hub.
Was this helpful?

By submitting your feedback, you accept the Adobe Terms of Use.

Thank you for submitting your feedback.