Vend a JWT
This API is used to create a free-form access token (JWT) with claims defined by the caller. The only "reserved" claims that cannot be specified are amr, cnf, exp and iat. The iat claim is the issued at time of the JWT and the exp is the expiration time of the JWT as computed by adding to the iat value either the user passed timeToLiveInSeconds or the tenant JWT timeToLiveInSeconds. If a reserved claim is passed into the claims object, it will be ignored.
This API has been available since 1.30.0
Here's a video showing how to use this feature.
Request#
OpenAPI Spec
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body#
claimsObjectoptionalA set of claims to add to this JWT. If any of the "reserved" claims, amr, cnf, exp or iat, are specified they will be ignored. Otherwise, the claims can be any valid JSON value.
keyIdUUIDoptionalThe Id of the signing key to use when signing this JWT. If this is not supplied, the tenant's JWT access token signing key will be used.
timeToLiveInSecondsIntegeroptionalThe length of time in seconds before the JWT expires and is no longer valid. Any integer value greater than 0 is allowed. If omitted, the tenant's timeToLiveInSeconds value will be used instead.
Example Request JSON
{
"claims": {
"id": "c74aa258-3a04-4d3f-83c5-e5b20af96e7a",
"iss": "piedpiper.com"
},
"keyId": "fafdc79b-d058-4e93-99d9-759e40b03711",
"timeToLiveInSeconds": 300
}
Response#
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body#
tokenStringThe encoded access token.
Example Response JSON
{
"token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6InlQaUx5SGFRZV9YcUVqdHZfQTlrcXNkQndoamV6WXZ2In0.eyJleHAiOjE2Mjk4NDAwOTEsImlhdCI6MTYyOTgzOTc5MSwiaXNzIjoicGllZHBpcGVyLmNvbSIsImp0aSI6ImQ5NWJiMDgxLTFmOWQtNGVjNS05OTk2LTc0YTQwMmMwMzYxNSIsImlkIjoiYzc0YWEyNTgtM2EwNC00ZDNmLTgzYzUtZTViMjBhZjk2ZTdhIn0.3P0PTU7opCmqNmRTC54KmIPIbk6WH3zE9OtIKgA8-fqQluurgKzmqHXiTwsfpuRV2p28s8KvoWbtS0y-zG32Dg"
}