Security Event Token Headers

When it comes to JSON Web Tokens, the header section typically serves two purposes: 1) it identifies the token type; and, 2) it identifies the hashing algorithm used to encode the token. Security token headers used by the Akamai Identity Cloud cover both of those purposes; in addition, the header section indicates which JSON Web Key was used to sign the token.

A typical Identity Cloud SET header looks similar to this:

{
 "typ": "secevent+jwt",
 "alg": "RS256",
 "kid": "1dc12073699c68c1daee6c9a100e2b43febdcd92"
}

The three claims (typalg, and kid) used in the token header are described in the following table:

Claim

Description

typ

Specifies the type of token being returned. For the security event tokens used with Webhooks v3, this value will always be secevent+jwt, a token type that helps distinguish webhooks notifications from other JSON Web Tokens (such as identity tokens, which have the type jwt). 

alg

Identifies the cryptographic algorithm used to sign the token. For webhooks, this value will always be RS256, which references the hashing algorithm RSASSA-PKCS1-v1_5 using SHA-256.

kid

Key identifier, a case-sensitive string that indicates the JSON Web Key used to sign the token. Each JSON Web Key includes a kid property that corresponds to the kid property shown in the token header.