Generates a JSON Web Token, JWT. Typically used in OpenID Connect scenarios.


Name Description Default value Mandatory Supports property expansion
subjectattribute Attribute holding the value put into the sub of the token. true true
keystore ID of the keystore used for signing the token. true false
kid The key ID (kid) value. This value will be added to the jwt header. false false
expire_seconds Number of seconds the jwt token is valid (exp time will be now + this) 90 false false
claims Claims to be included in the token. Array of claim objects, see below for format. (Previously called tokenattributes, name still supported) false true
jwt_token_property_name The token's target property name. id_token false false


Which claims to be included in the token are controlled by the claims (or tokenattributes) configuration property containing an array of claim objects. A claim object has a name (name of claim), a value (value of claim, supports property expansion) and a type (claim value target type).

Claim value must be expanded to a string but may contain any string encoded json. When value is added to the claim it is converted to the configured type.

Supported types:

  • string (default)
  • object
  • array
  • number (double value)
  • integer/int
  • boolean/bool
  • null

Example claim - array of strings:

    "name": "roles"
    "value": "[\"admin\",\"manager\",\"user\"]",
    "type": "array"

Example claim - objects:

    "name": "keys"
    "value": "{
        \"key_1\": \"value_1\",
        \"key_2\": \"value_2\",
        \"key_3\": \"value_3\",
    "type": "object"

Example Configuration

    "name": "GenerateJWTTokenVavle",
    "enabled": "true",
    "config": {
        "subjectattribute" : "{{session.user_id}}",
        "keystore" : "d2c3094d-f538-4abc-9211-cd26c46606d3",
        "expire_seconds" : "600",
        "jwt_token_property_name": "id_token",


General information

Token TTL is 90 seconds by default.

Attributes always added to the payload are:

  • sub - the user identifier
  • iat - Issued at
  • nbf - Not before
  • exp - Expiration
  • jti - Token identifier

Sign algo is RS256.

Dates are formatted according to:

Value representing the number of seconds from 1970-01-01T00:00:00Z UTC
until the specified UTC date/time, ignoring leap seconds.


A previously misspelled Valve GenerateJWTTokenVavle, with identical functionality, still exists in the product due to backwards compatibility