When it comes to JSON Web Tokens, the header section typically serves two purposes: 1) it identifies the token type; and, 2) it identifies the hashing algorithm used to encode the token. Security token headers used by the Akamai Identity Cloud cover both of those purposes; in addition, the header section indicates which JSON Web Key was used to sign the token.
A typical Identity Cloud SET header looks similar to this:
"typ": "secevent+jwt",
"alg": "RS256",
"kid": "1dc12073699c68c1daee6c9a100e2b43febdcd92"
}
The three claims (typ, alg, and kid) used in the token header are described in the following table:
|
Claim |
Description |
|
typ |
Specifies the type of token being returned. For the security event tokens used with Webhooks v3, this value will always be secevent+jwt, a token type that helps distinguish webhooks notifications from other JSON Web Tokens (such as identity tokens, which have the type jwt). |
|
alg |
Identifies the cryptographic algorithm used to sign the token. For webhooks, this value will always be RS256, which references the hashing algorithm RSASSA-PKCS1-v1_5 using SHA-256. |
|
kid |
Key identifier, a case-sensitive string that indicates the JSON Web Key used to sign the token. Each JSON Web Key includes a kid property that corresponds to the kid property shown in the token header. |