> ## Documentation Index
> Fetch the complete documentation index at: https://docs.alumio.com/llms.txt
> Use this file to discover all available pages before exploring further.

# JWT authentication

> Use a JWT header and payload for request authentication.

export const FormField = ({property, label, required = false, diType, uiPatterns, children}) => {
  const patterns = Array.isArray(uiPatterns) ? uiPatterns : uiPatterns ? [uiPatterns] : [];
  return <div style={{
    margin: '1.5rem 0'
  }}>
      <div style={{
    display: 'flex',
    alignItems: 'baseline',
    flexWrap: 'wrap',
    gap: '0.5rem',
    marginBottom: '0.25rem'
  }}>
        <strong>{label}</strong>
        <span style={{
    fontSize: '0.7rem',
    fontWeight: 600,
    textTransform: 'uppercase',
    letterSpacing: '0.04em',
    color: required ? '#6241f5' : '#6b7280'
  }}>
          {required ? 'Required' : 'Optional'}
        </span>
      </div>

      <div>{children}</div>

      {diType || patterns.length > 0 ? <p style={{
    fontSize: '0.85rem',
    color: '#6b7280',
    marginBottom: 0
  }}>
          {diType ? <>
              See the <a href={`/references/${diType}`}>{diType}</a> reference.{' '}
            </> : null}
          {patterns.length > 0 ? <>
              Accepts a <a href={`/documentation/placeholders-and-patterns/patterns#${patterns[0]}`}>pattern</a>.
            </> : null}
        </p> : null}
    </div>;
};

Signs each request with a JSON Web Token (JWT) and sends it in the `Authorization: Bearer` header. Use this for services that expect a freshly signed JWT on every call. You provide the signing method, the key, and the token's headers and payload; Alumio builds and signs the token for you, filling in the standard `typ` and `alg` header values and the issued-at (`iat`) and expiry (`exp`) timestamps automatically.

This documentation describes: [Schema](/schemas/http-authentication-configurator/jwt)

## Fields

<FormField property="encryptionProtocol" label="Encryption Method" required>
  The signing algorithm to use. Choose from **HS256** (shared secret), **RS256 (RSA Key)**, **RS256 (Passphrase)**, or **EdSDA (Ed25519)**. Defaults to **HS256**. Your choice determines what to enter in the key field below.
</FormField>

<FormField property="key" label="JWT encryption key" required>
  The key used to sign the token. For **HS256** this is your shared secret; for **RS256 (RSA Key)** it becomes a multi-line **Private key** field where you paste the full key including the `-----BEGIN PRIVATE KEY-----` and `-----END PRIVATE KEY-----` lines. You can store the value in an environment variable and reference it here.
</FormField>

<FormField property="expireTime" label="Expire time in seconds" required>
  How long the token stays valid, in seconds. Alumio uses this to set the token's expiry timestamp on each request. Defaults to `3600` (one hour).
</FormField>

<FormField property="headers" label="JWT Headers" required>
  The token header, entered as JSON. The `typ` and `alg` values are set for you, so you only add any extra headers the service requires (for example a key id). Use an empty object `{}` when no extra headers are needed.
</FormField>

<FormField property="payload" label="JWT Payload" required>
  The token payload (its claims), entered as JSON. The issued-at (`iat`) and expiry (`exp`) values are set for you; add the claims the service expects, such as an issuer or subject.
</FormField>

## Sample data

This feature configures a connection rather than transforming data, so there is no before/after to show. A typical HS256 setup looks like this:

| Field                  | Value                                             |
| ---------------------- | ------------------------------------------------- |
| Encryption Method      | `HS256`                                           |
| JWT encryption key     | `your-signing-secret`                             |
| Expire time in seconds | `3600`                                            |
| JWT Headers            | `{}`                                              |
| JWT Payload            | `{ "iss": "your-app", "sub": "service-account" }` |

```json Configuration theme={null}
{
  "prototype": "jwt",
  "parameters": {
    "encryptionProtocol": "HS256",
    "key": "your-signing-secret",
    "expireTime": 3600,
    "headers": {},
    "payload": {
      "iss": "your-app",
      "sub": "service-account"
    }
  }
}
```
