JWT
Type ID: core.jwt · Kind: Action · Trace: CHAIN
Signs a payload into a JWT or verifies an existing token, in both cases using the HS256 algorithm and a shared secret. Optional issuer and audience claims can be included when signing or validated when verifying.
Credentials
None
Properties
| Property | Key | Type | Required | Default | Possible values | Shown when |
|---|---|---|---|---|---|---|
| Operation | operation | options | Yes | sign | sign — Sign; verify — Verify | Always |
| Payload | payload | object | No | {} | an object to sign | operation = sign |
| Token | token | string | No | '' | the JWT token to verify | operation = verify |
| Secret | secret | string | Yes | '' | the shared secret used for HS256 signing and verification | Always |
| Expires In | expiresIn | string | No | '' | optional token lifetime such as 5m or 1h (also accepts a numeric seconds value) | operation = sign |
| Issuer | issuer | string | No | '' | optional issuer claim to include or validate | Always |
| Audience | audience | string | No | '' | optional audience claim to include or validate | Always |
Notes
- Always uses HS256.
secretis required and must be a non-empty string, otherwiseexecute()throws. - Sign:
payloadmust resolve to a plain object (else throws). Output:{ token }.expiresIn,issuer, andaudienceare only applied when non-empty;expiresInaccepts a finite number or a non-empty string. - Verify:
tokenis required (else throws). When supplied,issuerandaudienceare enforced as verification options. Output:{ valid: true, payload }, where a string-decoded payload is wrapped as{ value: <string> }. An invalid token causesjwt.verifyto throw. - Parameters are resolved through the resolver engine, so expressions are supported.