Security Event Token Headers

When it comes to JSON Web Tokens, the header section typically serves two purposes: 1) it identifies the token type; and, 2) it identifies the hashing algorithm used to encode the token. Security token headers employed by the Akamai Identity Cloud cover both of those purposes; in addition, the header section indicates which JSON Web Key was used to sign the token.

A typical Identity Cloud SET header looks similar to this:

 "typ": "secevent+jwt",
 "alg": "RS256",
 "kid": "1dc12073699c68c1daee6c9a100e2b43febdcd92",
 "jku": ""

The four claims (typ, alg, kid, and jku) used in the token header are described in the following table:




Specifies the type of token being returned. For the security event tokens used with Webhooks v3, this value will always be secevent+jwt, a token type that helps distinguish webhooks notifications from other JSON Web Tokens (such as identity tokens, which have the type jwt). 


Identifies the cryptographic algorithm used to sign the token. For webhooks, this value will always be RS256, which references the hashing algorithm RSASSA-PKCS1-v1_5 using SHA-256.


Key identifier, a case-sensitive string that indicates the JSON Web Key used to sign the token. Each JSON Web Key includes a kid property that corresponds to the kid property shown in the token header.


JSON Web Key Set URL. URL of your JSON Web Key Set. For example: