# JWT Workato claim
Identity providers streamline the process of maintaining verified access to multiple applications. The end user only needs to authenticate with the identity provider. Subsequently, the end user can access multiple applications and services without needing to remember additional sets of credentials. For example, the identity provider will issue JWT tokens that allow the end user to make authenticated requests with Workato API platform.
Identity provider issues JWT to the end user, who uses it to obtain verified access to Workato API platform
When Workato receives an incoming request, the JWT token is checked to see if it contains a valid API key. This is done to determine that the request is coming from a valid access profile. If no valid token is found, the API request will return a
401 Unauthorized error.
Workato will inspect the following JWT claims in sequential order. Workato identifies the first claim that is not empty and compares the claim value with an internal list of known access profiles. If the token is not verified, the API request will return a
401 Unauthorized error. Otherwise, if a valid API key is found, the API request will be successful.
# Default claims for access profile token
|1st||payload|| ||This is a namespace claim. As it uses unique names, this claim is unlikely to be restricted by the identity providers.|
|2nd||payload|| ||Workato will inspect this claim if the above claims are empty.|
|3rd||payload|| ||This represents the subject of the JWT. Some identity providers reserve this JWT claim and thus Workato API key cannot be used here. Workato will inspect this claim if the above claims are empty.|
|4th||header|| ||This is a header claim. Workato will inspect this claim if the above claims are empty.|
If these claims are used for other purposes in your use case, you may use a custom claim to hold the access profile token.
# Advanced settings
# Reserved claims to enforce
This multiselect input allows you to choose which of the reserved claims you want to enforce. API platform will ensure that every chosen claims here are present in the JWT access token. For example, select
exp to ensure that only tokens with limited validity are used to access your APIs.
# Allowed issuers for iss claim
iss is select in Reserved claims to enforce, this additional input will be provided. Here, you can provide a list of
iss values that will be allowed. Leave this field blank to accept all
# Custom claim for access profile token
If all 4 of the default access profile claims are occupied for other purposes, you may use a custom claim to hold the access profile token in the JWT. This custom claim must be specified in the access profile configuration.
Last updated: 8/31/2023, 1:07:14 AM