JWT Validation

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained method for transferring transmission between two parties as a JSON object. This information can be verified and trusted since the token is digitally signed.

JWTs can be signed by using a secret (with the HMAC algorithm) or a pair of public/private keys using RSA.

To read more about it, access this website: https://jwt.io/.

Generating a token

Before we make the call to generate the JWT token, we need to make a call to generate the Authorization Code. To know how to generate it, click here.

To use this interceptor, an app must have been created, so that we can access the client ID and client secret.

To generate the JWT, it is necessary to make a POST request to the endpoint <gateway url>/oauth/access-token.

The header should contain the following information:

Authorization : Basic client_id:client_secret
The client_id:client_secret must be a string converted to Base64, using the app data.

Here is an example of a header with the client ID and secret converted to Base64:

Authorization : Basic ZjkyMTIxNzMtZTcwNS0zNzNiLWE2OTgtNjE5MjNlMzc4MzU5OjAyYWI1Mjg4LTkyZGItM2FiMy05OWZkLWZhYzRhZjg1N2Q4MQ==

In the body, we must inform the "code" generated by the grant-code endpoint, with a few more items in the format x-www-form-urlencoded:

"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer"
"code" : "8748d39f-1d4f-311f-92c6-4b279db1b317"

Lastly, your access token will be generated again and should appear as the example below:

  "access_token": "ca81cb16-43e4-3e96-aaea-4861e7791dc7",
  "refresh_token": "677b881a-d0b6-3b29-b9a8-f0cdb50ce035",
  "token_type": "access_token",
  "expires_in": 3600
If your API returns the status code 401 Unauthorized when using this interceptor, the token may be invalid. See more details on this page of our FAQs.


This interceptor can only be inserted in the request flow and two pieces of information need to be configured: Location and Name.

Location options are:

  • Query Param: validates the existence of a JWT informed via query param.

    • The property "Name" defines the expected query param name.
      jwt queryparam

  • Header: validates an existing JWT in the header.

    • The property "Name" defines the expected header name.
      jwt header

  • Default JWT Header: validates an existing JWT in the header.

    • In this case, there is no property "name"; the JWT is expected in the header Authorization.
      jwt defaultHeader


As we mentioned in the beginning of this page, JWT is a pattern that allows transmitting tokens from one party to another with security regarding the legitimacy of the token sent. It is usual for this pattern to be used to send additional information via "claims".

However, it’s important to remember that JWT is a pattern that ensures data reliability, not confidentiality. Sensitive information transmitted in the body of the token can be intercepted and exposed.

JWE (Json Web Encryption) adds an additional security layer by encrypting the data informed. Thus, it’s possible to expand the JWT functionality so that it also ensures confidentiality.

To add JWE to your token, just select the option Use JWE-JSON Web Encryption on the settings window of the interceptor.

jwt jwe
Thanks for your feedback!

Share your suggestions with us!
Click here and then [+ Submit idea]