Security Event Token Headers

When it comes to JSON Web Tokens, the header section typically serves two purposes: 1) it identifies the token type; and, 2) it identifies the hashing algorithm used to encode the token. Security token headers employed by the Akamai Identity Cloud cover both of those purposes; in addition, the header section indicates which JSON Web Key was used to sign the token.

A typical Identity Cloud SET header looks similar to this:

{
 "alg": "RS256",
 "kid": "1dc12073699c68c1daee6c9a100e2b43febdcd92",
 "jku": "https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/jwk"
}

These claims (alg, kid, and jku) used in the token header are described in the following table:

Claim

Description

alg

Identifies the cryptographic algorithm used to sign the token. For webhooks, this value will always be RS256, which references the hashing algorithm RSASSA-PKCS1-v1_5 using SHA-256.

kid

Key identifier, a case-sensitive string that indicates the JSON Web Key used to sign the token. Each JSON Web Key includes a kid property that corresponds to the kid property shown in the token header.

jku

JSON Web Key Set URL. URL of your JSON Web Key Set. For example: 

https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/jwk