POST API/SignJWT

Signs and returns a JSON Web Token (JWT). Because a CodeSign Protect certificate digitally signed the token, the claims in the token can be verified and trusted.

Requirements

Setup: See Setting up your HSM Client application.
Permissions: The caller must be a Key User.
Token scope: codesignclient

Headers

Content type: Content-Type:application/json.
Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters
Name	Description
ClientInfo	The ClientInfo object that manages code signing.
ProccessInfo	The ProcessInfo object that describes how to sign the JWT token.
KeyId	The GUID that uniquely identifies a Certificate environment. The Key ID allows you to digitally sign the JWT. To get the value, use the Guid from the POST Codesign/GetEnvironment response.
Header	The URL Safe Base-64 encoded header that originated from a JSON body. The value requires Javascript Object Signing and Encryption (JOSE) headers: alg:[algorithm] and typ: JWT. For more information, see https://datatracker.ietf.org/doc/html/rfc7515. Use a tool like https://jwt.io to convert the JSON to Base 64.
Payload	The URL Safe Base-64 encoded payload that originated from a JSON body. The payload contains registered, public, and or private claims that will be shared with other parties. Use a tool like https://jwt.io to convert the JSON to URL Safe Base-64 encoding.

Returns

Use a tool to convert ResultData to JSON. The converted data should show additional kid and x5u headers. Be sure to confirm that the x5u header is a valid public key or key chain. The other headers should match the original JOSE Header that you passed in this API call.

Response description
Name	Description
HTTP 200	For valid requests, this call returns a HTTP 200 message and the following data in the message body: ResultData: The URL Safe Base-64 encoded value of the signed JWT. If this API call was unsuccessful, the value is missing. After you use a tool to convert this value to JSON, the value includes these JOSE headers: typ: JWT. alg: The algorithm. kid: The key ID. x5u: The resource for the X.509 public key of a certificate or certificate chain. Success: true: The JWT token was successfully signed.
HTTP 400	For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body: Error: Appears only if the action could not be performed. TryLater: true: Appears with an Error. For example, if a key requires an approval, TryLater accompanies an Error.

Example: Send a sign request

Request

POST https://test.venafi.example/vedhsm/API/SignJWT
Authorization:Bearer 4MyGeneratedBearerTknz==
{
   "ClientInfo":{
      "ClientLibraryName":"pkcs11",
      "ClientLibraryVersion":"My client application or script name and version"
   },
   "ProcessInfo":{
      "Username":"Administrator",
      "Machine":"WIN-TS6P5P8LU80",
      "Executable":"C:\\Users\\Administrator\\Repo\\codesigningclients\\bin\\Pkcs11Config.exe",
      "CommandLine":"\"C:\\Users\\Administrator\\Repo\\codesigningclients\\bin\\Pkcs11Config.exe\" signjwt -label:Development Environment",
      "ExecutableSize":2919424,
      "ExecutableHash":"4137C3B4..."
   },
   "KeyId":"{987225cf-ac4f-4ec5-93cc-b7af4d478815}",
   "Header":"eyJhbGci...",
   "Payload":"eyJzdWIiO..."
}

Response

HTTP/1.1 200 OK
{
   "ResultData": "ew0KICAiYWxnI...",
   "Success": true
}