POST API/SignJWT

Signs and returns a JSON Web Token (JWT). Because a CodeSign Protect certificate digitally signed the token, the claims in the token can be verified and trusted.

Requirements

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description

ClientInfo

The ClientInfo object that manages code signing.

ProccessInfo

The ProcessInfo object that describes how to sign the JWT token.

KeyId

The GUID that uniquely identifies a Certificate environment. The Key ID allows you to digitally sign the JWT. To get the value, use the Guid from the POST Codesign/GetEnvironment response.

Header

The URL Safe Base-64 encoded header that originated from a JSON body. The value requires Javascript Object Signing and Encryption (JOSE) headers: alg:[algorithm] and typ: JWT. For more information, see https://datatracker.ietf.org/doc/html/rfc7515. Use a tool like https://jwt.io to convert the JSON to Base 64.

Payload

The URL Safe Base-64 encoded payload that originated from a JSON body. The payload contains registered, public, and or private claims that will be shared with other parties. Use a tool like https://jwt.io to convert the JSON to URL Safe Base-64 encoding.

Returns

Use a tool to convert ResultData to JSON. The converted data should show additional kid and x5u headers. Be sure to confirm that the x5u header is a valid public key or key chain. The other headers should match the original JOSE Header that you passed in this API call.

Response description

Name

Description

HTTP 200

For valid requests, this call returns a HTTP 200 message and the following data in the message body:

  • ResultData: The URL Safe Base-64 encoded value of the signed JWT. If this API call was unsuccessful, the value is missing. After you use a tool to convert this value to JSON, the value includes these JOSE headers: 

    • typ: JWT.
    • alg: The algorithm.
    • kid: The key ID.
    • x5u: The resource for the X.509 public key of a certificate or certificate chain.

  • Successtrue: The JWT token was successfully signed.

HTTP 400

For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body:

  • Error:  Appears only if the action could not be performed.

  • TryLatertrue: Appears with an Error. For example, if a key requires an approval, TryLater accompanies an Error.

Example: Send a sign request

Request

POST https://test.venafi.example/vedhsm/API/SignJWT
Authorization:Bearer 4MyGeneratedBearerTknz==
{
   "ClientInfo":{
      "ClientLibraryName":"pkcs11",
      "ClientLibraryVersion":"My client application or script name and version"
   },
   "ProcessInfo":{
      "Username":"Administrator",
      "Machine":"WIN-TS6P5P8LU80",
      "Executable":"C:\\Users\\Administrator\\Repo\\codesigningclients\\bin\\Pkcs11Config.exe",
      "CommandLine":"\"C:\\Users\\Administrator\\Repo\\codesigningclients\\bin\\Pkcs11Config.exe\" signjwt -label:Development Environment",
      "ExecutableSize":2919424,
      "ExecutableHash":"4137C3B4..."
   },
   "KeyId":"{987225cf-ac4f-4ec5-93cc-b7af4d478815}",
   "Header":"eyJhbGci...",
   "Payload":"eyJzdWIiO..."
}

Response

HTTP/1.1 200 OK
{
   "ResultData": "ew0KICAiYWxnI...",
   "Success": true
}