JSON Web Token (JWT) is an open standard that helps in the secure transmission of information between API consumers and REST web services. You can create a JSON web token policy to assign to operations.
You can enable JWT authentication for APIs that meet the following criteria:
•The associated process uses HTTP/SOAP binding.
•The associated process uses basic authentication and defines the user groups and users who can access the process service URL at run time.
•The associated process is published and exposed as a service.
Generating a JSON web token
Generate a JSON web token to send to API consumers. You can generate a JSON web token when you edit a managed API.
1On the API Console page, click Managed APIs.
The Managed APIs table appears.
2Click to open the Actions menu of the API and select Edit Managed API.
The API details window appears.
3In the Operations area, select an operation.
The operation details panel appears.
4In the Operations area, expand the Authentication section and select JWT - JSON Web Token.
5Select an expiration date for the token and click Generate New Token.
API Center creates a token for the operation that appears on the page.
Note: You can click Generate New Token to generate a new token if your earlier token has expired. After you generate a token, you can't revoke the token.
6Click Copy to copy the token and send the token to API consumers.
API-level authentication policy
You can use an API-level JSON web token (JWT) authentication to securely access API endpoints and safeguard all your data and API interactions.
When you create or edit a managed API, you can enable JSON web token authentication at the API level. You can use the JSON web token to authenticate the API and all its operations. Thus, you can avoid creating individual tokens for each API operation and can invoke the API and all its operations using a single token.
When you enable the API-level JSON web token authentication, the API-level authentication overrides the operational level authentication based on the confirmation that you provide in the confirmation dialog box. You can generate an API-level JSON web token in one of the following ways:
•API Console > Managed APIs > Actions menu > Create Managed API > API Policies > Security > Authentication > Enable JWT - JSON Web Token.
•API Console > Managed APIs > Actions menu > Edit Managed API > API Policies > Security > Authentication > Enable JWT - JSON Web Token.
•API Console > Managed APIs > Actions menu > Test Managed API > API Policies > Security > Authentication > Generate New Token.
To invoke the API, you must enter the API-level JSON web token that you generated for the API.
You can generate the API-level JSON web tokens for managed APIs in the active, shared, and deprecated states. However, if you reactivate a deactivated managed API, you can't use the same token that was generated when the managed API was active. You must generate a new token.
Invoking an API with JSON web token authentication
To invoke a managed API where JSON web token authentication is enabled, API consumers pass the token as a bearer token in the HTTP Authorization header.