Get Signed JWT
- v3.3.43 and later
The Get Signed JWT task is used to sign a JWT (JSON Web Token).
Using the RS256 algorithm, the task ensures robust cryptographic security during JWT signing. The resulting token effectively encapsulates specified authorization scopes and incorporates a TTL (time-to-live) mechanism to enforce its expiration, thereby maintaining secure access control.
Task parameters
Configure these parameters for the Get Signed JWT task.
| Parameter | Description | Required/ Optional |
|---|---|---|
| inputParameters. subject | The subject of the JWT, typically representing the entity (e.g., user or service) for which the token is issued. | Required. |
| inputParameters issuer | The entity issuing the JWT, identifying who created and signed the token. | Required. |
| inputParameters. privateKey | The private key used to sign the JWT. This key needs to be in PKCS#8 format. | Required. |
| inputParameters. privateKeyId | The identifier for the private key used to sign the JWT. | Required. |
| inputParameters. audience | The intended recipient(s) of the JWT. | Required. |
| inputParameters. ttlInSeconds | The time-to-live (TTL) or expiration time of the JWT, specified in seconds. | Required. |
| inputParameters. scopes | The scopes associated with the JWT, defining the access permissions granted by the token. It can be a string or an array of strings. | Required. |
| inputParameters. algorithm | The signing algorithm to use for the JWT. Currently set to RS256, which refers to the RSA signature with the SHA-256 hash algorithm. | Required. |
Caching parameters
You can cache the task outputs using the following parameters. Refer to Caching Task Outputs for a full guide.
| Parameter | Description | Required/ Optional |
|---|---|---|
| cacheConfig.ttlInSecond | The time to live in seconds, which is the duration for the output to be cached. | Required if using cacheConfig. |
| cacheConfig.key | The cache key is a unique identifier for the cached output and must be constructed exclusively from the task’s input parameters. It can be a string concatenation that contains the task’s input keys, such as ${uri}-${method} or re_${uri}_${method}. | Required if using cacheConfig. |
Schema parameters
You can enforce input/output validation for the task using the following parameters. Refer to Schema Validation for a full guide.
| Parameter | Description | Required/ Optional |
|---|---|---|
| taskDefinition.enforceSchema | Whether to enforce schema validation for task inputs/outputs. Set to true to enable validation. | Optional. |
| taskDefinition.inputSchema | The name and type of the input schema to be associated with the task. | Required if enforceSchema is set to true. |
| taskDefinition.outputSchema | The name and type of the output schema to be associated with the task. | Required if enforceSchema is set to true. |
Other generic parameters
Here are other parameters for configuring the task behavior.
| Parameter | Description | Required/ Optional |
|---|---|---|
| optional | Whether the task is optional. The default is false. If set to true, the workflow continues to the next task even if this task is in progress or fails. | Optional. |
Task output
The Get Signed JWT task will return the signed JWT in the secret variable _secrets. The signed JWT will be masked (***).
Task configuration
This is the task configuration for a Get Signed JWT task.
{
"name": "get_signed_jwt",
"taskReferenceName": "get_signed_jwt_ref",
"inputParameters": {
"subject": "${workflow.input.subject}",
"issuer": "${workflow.input.issuer}",
"privateKey": "${workflow.secrets.jwt-privatekey}",
"privateKeyId": "key-123",
"audience": "${workflow.input.audience}",
"ttlInSeconds": 3600,
"scopes": "${workflow.input.scope}",
"algorithm": "RS256"
},
"type": "GET_SIGNED_JWT"
}
Adding a Get Signed JWT task in UI
To add a Get Signed JWT task:
- In your workflow, select the (+) icon and add a Get Signed JWT task.
- Enter the Subject and Issuer of the JWT.
- Provide the PrivateKey and PrivateKeyId used for signing JWT.
- Set the Audience, TTL (in seconds), Scopes, and Algorithm as required.
Examples
Here are some examples for using the Get Signed JWT task.
Authorization
{
"name": "get_signed_jwt_token",
"taskReferenceName": "get_signed_jwt_token_ref",
"inputParameters": {
"privateKey": "${workflow.secrets.gcp_private_key}",
"privateKeyId": "${workflow.secrets.gcp_private_key_id}",
"audience": "https://oauth2.googleapis.com/token",
"ttlInSecond": 3600,
"scopes": [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/documents",
"https://www.googleapis.com/auth/drive"
],
"subject": "service-account-name@project-id.iam.gserviceaccount.com",
"issuer": "service-account-name@project-id.iam.gserviceaccount.com"
},
"type": "GET_SIGNED_JWT"
}