JWT sign

POST /api/jwt-sign

Issue a JWT signed with HS256, HS384, or HS512. Pass the payload as JSON, the secret as a string, and optional claims (issuer, audience, expiry).

Creates a JSON Web Token signed with an HMAC algorithm and returns the encoded `header.payload.signature` string. Inputs: - `payload`: the JSON claims object. - `secret`: the HMAC secret (any string). - `algorithm`: `HS256` (default), `HS384`, or `HS512`. - `expiresInSeconds` (optional): adds an `exp` claim that many seconds from now. - `issuer` / `audience` / `subject` (optional): adds the corresponding `iss` / `aud` / `sub` claims. For asymmetric (RS256/ES256) signing the verifier needs a matching public key — that flow is not currently exposed.

Inputs

Name	Type	Default	Description
payload*	string	—	JWT payload as a JSON object (your claims).
secret*	string	—	HMAC secret. Keep it private — anyone with it can mint valid tokens.
algorithm	enum (HS256 \| HS384 \| HS512)	"HS256"	HMAC algorithm.
expiresInSeconds	number (1…31536000)	—	Lifetime in seconds. When set, adds an `exp` claim.
setIssuedAt	boolean	true	Add an `iat` claim with the current unix timestamp (default true).

Response

Modes: json. Cache: not cacheable.

Code samples

Built from the hs256-default example.


curl -X POST https://api.xtract.bot/api/jwt-sign \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "payload": "{\"sub\":\"alice\",\"role\":\"admin\"}",
  "secret": "shared-secret-please-rotate-me",
  "algorithm": "HS256"
}'