xtract.bot

POST /api/jwt-sign1 quota unit per call · cache hits free

Issue a JWT signed with HS256, HS384, or HS512. Pass the payload as JSON, the secret as a string, and optional claims (issuer, audience, expiry).

Creates a JSON Web Token signed with an HMAC algorithm and returns the encoded `header.payload.signature` string. Inputs: - `payload`: the JSON claims object. - `secret`: the HMAC secret (any string). - `algorithm`: `HS256` (default), `HS384`, or `HS512`. - `expiresInSeconds` (optional): adds an `exp` claim that many seconds from now. - `issuer` / `audience` / `subject` (optional): adds the corresponding `iss` / `aud` / `sub` claims. For asymmetric (RS256/ES256) signing the verifier needs a matching public key — that flow is not currently exposed.

Inputs

NameTypeDefaultDescription
payload*stringJWT payload as a JSON object (your claims).
secret*stringHMAC secret. Keep it private — anyone with it can mint valid tokens.
algorithmenum (HS256 | HS384 | HS512)"HS256"HMAC algorithm.
expiresInSecondsnumber (1…31536000)Lifetime in seconds. When set, adds an `exp` claim.
setIssuedAtbooleantrueAdd an `iat` claim with the current unix timestamp (default true).

Response

Modes: json. Cache: not cacheable.

Every response carries x-cache (HIT / MISS / BYPASS), x-cache-signature (stable across identical inputs), and the rate-limit headers listed below.

Quota & limits

Cost per call1 unit against the 10,000-unit monthly quota. Cache hits are free — only cache misses decrement.
Burst limit200 requests per rolling minute, shared across all tools.
Max request size1 MiB (base64 inflates file payloads ~33% — the limit applies to the decoded bytes).
Max response size1 MiB
Timeout5s wall clock.
Rate-limit headersX-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Burst-Limit on every response; X-Quota-Warning once 80% of the monthly quota is spent; Retry-After on 429s.

Errors

Errors are JSON with an error string; schema failures add a details object (Zod's flattened field errors).

StatusWhenBody
400Input fails the tool's schema (wrong type, missing required field, malformed base64) or the file bytes can't be parsed as the expected format.{ "error": "invalid inputs", "details": { "fieldErrors": { … } } }
401Missing or invalid X-Api-Key / X-Account-Id headers (or no session when called from the browser).{ "error": "unauthorized" }
404Unknown tool id, or calling /api/* on the website hostname instead of api.xtract.bot.{ "error": "not found" }
413Request body over the tool's max request size, or an image header declaring more megapixels than the tool's pixel budget.{ "error": "…exceeds maxRequestBytes…" }
415Content-Type isn't application/json on the json-body transport.{ "error": "unsupported content-type; expected application/json" }
429Monthly quota or the 200/min burst limit exhausted. Check Retry-After and the X-RateLimit-* headers.{ "error": "monthly quota exceeded", "monthRemaining": 0, … }
5xxConversion engine failure. Safe to retry; if it persists, the input is hitting a bug — please report it.{ "error": "…" }

Code samples

Built from the hs256-default example.


curl -X POST https://api.xtract.bot/api/jwt-sign \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "payload": "{\"sub\":\"alice\",\"role\":\"admin\"}",
  "secret": "shared-secret-please-rotate-me",
  "algorithm": "HS256"
}'