Authorization Token Structure

You must create a properly defined JSON Web Token to successfully use Automation APIs.

Note:

To prevent a third-party from attempting to intercept and reuse the JWT token, you must configure a Communication time-out interval when adding applications to the Automation API Access Settings screen. Upon receiving the API request, Control Manager compares the "Issued at" (iat) attribute to the time Control Manager received the request. If the request did not arrive before the configured time-out interval, Control Manager rejects the request with a 401 response code.

The following tables outline the required information that you must include in the Header and Payload sections of the JWT token.

Table 1. Header Section

Content

Description

alg

The algorithm used to calculate the JWT checksum

Supported algorithms:

  • HS256 (HMAC SHA256)

  • HS384

  • HS512

typ

The type of JSON Web Token (JWT)

Important:

Control Manager only accepts JSON Web Tokens (JWT).

Table 2. Payload Section

Content

Description

appid

The Application ID of the third-party application obtained from the Automation API Access Settings screen

iat

The "Issued at" token generation time

The generation time uses the Unix time stamp (number of seconds since Jan 01 1970 UTC) format.

version

The version of this JWT authorization token

Important:

Control Manager only accepts "V1" JWT authorization tokens.

checksum

The checksum of the request