Vend a JWT

This API is used to create a free-form access token (JWT) with claims defined by the caller. The only "reserved" claims that cannot be specified are amr, cnf, exp and iat. The iat claim is the issued at time of the JWT and the exp is the expiration time of the JWT as computed by adding to the iat value either the user passed timeToLiveInSeconds or the tenant JWT timeToLiveInSeconds. If a reserved claim is passed into the claims object, it will be ignored.

This API has been available since 1.30.0

Here's a video showing how to use this feature.

Play

Request#

API Key Authentication
Vend a JWT
POST/api/jwt/vend
OpenAPI Spec

Request Headers#

X-FusionAuth-TenantIdStringoptional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Request Body#

claimsObjectoptional

A set of claims to add to this JWT. If any of the "reserved" claims, amr, cnf, exp or iat, are specified they will be ignored. Otherwise, the claims can be any valid JSON value.

keyIdUUIDoptional

The Id of the signing key to use when signing this JWT. If this is not supplied, the tenant's JWT access token signing key will be used.

timeToLiveInSecondsIntegeroptional

The length of time in seconds before the JWT expires and is no longer valid. Any integer value greater than 0 is allowed. If omitted, the tenant's timeToLiveInSeconds value will be used instead.

Example Request JSON

{
  "claims": {
    "id": "c74aa258-3a04-4d3f-83c5-e5b20af96e7a",
    "iss": "piedpiper.com"
  },
  "keyId": "fafdc79b-d058-4e93-99d9-759e40b03711",
  "timeToLiveInSeconds": 300
}

Response#

Response Codes
CodeDescription
200The request was successful. The response will contain a JSON body.
400The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.
401You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
500There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body#

tokenString

The encoded access token.

Example Response JSON

{
  "token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6InlQaUx5SGFRZV9YcUVqdHZfQTlrcXNkQndoamV6WXZ2In0.eyJleHAiOjE2Mjk4NDAwOTEsImlhdCI6MTYyOTgzOTc5MSwiaXNzIjoicGllZHBpcGVyLmNvbSIsImp0aSI6ImQ5NWJiMDgxLTFmOWQtNGVjNS05OTk2LTc0YTQwMmMwMzYxNSIsImlkIjoiYzc0YWEyNTgtM2EwNC00ZDNmLTgzYzUtZTViMjBhZjk2ZTdhIn0.3P0PTU7opCmqNmRTC54KmIPIbk6WH3zE9OtIKgA8-fqQluurgKzmqHXiTwsfpuRV2p28s8KvoWbtS0y-zG32Dg"
}