JSON Web Token

Last Updated: 21 Jun 2021


The JSON Web Token (JWT) extension is a Matrix package that lets you generate dynamic JSON Web Tokens (JWTs) from Matrix. The tokens can be used to integrate with third-party services and platforms that implement JWT authentication.

The JWTs created by the extension are signed using a secret and are encoded using the HMAC SHA256 standard.


Read the following prerequisites and information before installing and using the JSON Web Token Extension.

Key package information

Supported Matrix version

Extension type

Matrix package

Extension version1.0.1

Installation method

.tgz archive

Asset category


Asset name

JSON Web Token

Asset availability

Admin mode only

Minimum user account levelSystem Administrator

JWT implementation

Read this section if you need to cross-check how the JWT implementation compares to a third-party JWT implementation.


Supported: HMAC SHA256

Not supported: RSA or ECDSA


Not supported

Payload visibility

Signed (publicly visible)

All payload information is visible in the payload when decoded. Do not put sensitive information such as passwords in the payload.

Installing the extension

This extension is installed using the Matrix package installation process.

See Matrix Packages for installation instructions.

Using the extension

The JWT asset type is available through the Matrix Admin interface.

Before you set up a JWT, you need to understand the three configuration items the asset requires:

  • Secret
  • Payload
  • Expiry Time

Make sure you have the required information for each configuration item prior to setting up a JWT asset in Matrix.


The secret is a shared key issued and used by the third-party service to verify that the token header and payload are authentic.

Check the third-party integration documentation for instructions on obtaining the correct secret.


Do not include sensitive information in the payload. The payload is signed using a shared secret but is not encrypted. Anyone can check the contents of the payload.

The payload sets the entity claims that get encoded within the token.

Entity claims are most commonly user credentials that the third-party service needs as part of the request.

The payload you send will vary based on the service you are integrating with, but will almost certainly use one or more JWT public claims as documented on the IANA.org website.

Payloads use a standard JSON body with claims declared as key-value pairs.

  "sub": "1234567890",
  "name": "John Smith",
  "admin": true

In this example, sub is a registered claim, name is a public claim, and admin is a private claim specific to a third-party service.

Get the correct payload from the third-party service you are integrating with.

Expiry Time

The expiry time is used to populate the registered claim portion of the payload, specifically the exp value.

While you can leave the expiry time blank (unlimited expiry), this is not good JWT security practice.
A value between five and 15 minutes is generally recommended.

The third-party service you are integrating with may also recommend an expiry time, which you should honour in your configuration.

Creating a JWT asset

You can create a JWT asset anywhere in the asset tree. The location you select determines the web path from which the token is available.

Follow these steps to create a JWT asset for authenticating to a third-party service:

  1. In the Matrix Admin view, select the asset you want to create the JWT asset beneath.
  2. Click New Child > Connectors > JSON Web Token to create the asset, and configure the name and link type.
  3. In the Secret field, supply the third-party service’s JWT secret.
  4. In the Payload field, specify the JSON claims required by the third-party service. For example:
    "sub": "%globals_user_attribute_username^json_encode%",
    "given_name": "%globals_user_attribute_first_name^json_encode%",
    "family_name": "%globals_user_attribute_last_name^json_encode%",
    "admin": %asset_has_write_access^eq:1:true:false%
  5. In the Expiry Time field, specify an expiry time for the token.

Requesting the JWT

You can retrieve the generated JSON Web Token by sending an HTTP request to the web path of the JSON Web Token Asset. Responses include a Content-Type of 'application/jwt' and an appropriate HTTP Code.

HTTP CodeReasonValue
200A valid response from an authenticated user, that returns a valid generated JWT.The JWT
500The JWT could not be generated due to a configuration error in the JSON Web Token Asset.Empty string
403Failed to authenticate the user details.Empty string

Testing the JWT asset

You can test whether the token is working correctly by testing it with a service like the jwt.io debugger.

  1. Right-click on the JWT asset and select Preview In New Window.
  2. Copy the JWT string displayed on the asset’s webpage.
  3. Visit the jwt.io debugger and decode the token.
  4. Verify the decoded token matches the configuration in Matrix.

Managing the extension

You can manage versions of this extension by upgrading or uninstalling the package.


This extension is upgraded using the Matrix package upgrade process.

See Matrix Packages for upgrade instructions.


To uninstall this extension, you need to have both Matrix system administrator and command-line access to your Matrix instance.

  1. Log in to Matrix as a system administrator and access admin mode.
  2. Move all JSON Web Token assets in your Matrix instance to the Trash.
  3. Purge any trashed JSON Web Token assets from the Trash.
  4. Follow the regular package uninstallation steps described in Matrix Packages.

Additional Resources