How to create a JSON Web Token (JWT)?
The PDF Generator API uses JSON Web Tokens (JWT) to authenticate all API requests. These tokens offer a method to establish secure server-to-server authentication by transferring a compact JSON object with a signed payload of your account’s API Key and Secret. When authenticating to the PDF Generator API, a JWT should be generated uniquely by a server-side application and included as a Bearer Token in the header of each request.
JSON Web Tokens are composed of three sections: a header, a payload (containing a claim set), and a signature. The header and payload are JSON objects, which are serialized to UTF-8 bytes, then encoded using base64url encoding.
The JWT's header, payload, and signature are concatenated with periods (.). As a result, a JWT typically takes the following form:
Property "alg" defines which signing algorithm is being used. PDF Generator API users HS256. Property "typ" defines the type of token and it is always JWT.
The second part of the token is the payload, which contains the claims or the pieces of information being passed about the user and any metadata required. It is mandatory to specify the following claims:
issuer (iss): Your API key
subject (sub): Workspace identifier (your email address)
You can find your API key and API secret on the Settings page in your PDF Generator API account.
You can also specify the token expiration time (exp) which is a timestamp in seconds since the Epoch (unix epoch time).
It is highly recommended to set the "exp" timestamp for a short period, i.e. a matter of seconds. This way, if a token is intercepted or shared, the token will only be valid for a short period of time.
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
The output is three Base64-URL strings separated by dots. The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret.
In the jwt.io it should looks like this:
In case you would like to learn more about the background of the JWT or get more inputs how you can use it, you can visit jwt.io website.
You can create a temporary token on the Settings page in your PDF Generator API account. The generated token uses your email address as the subject (sub) value and is valid for 15 minutes.
These test tokens should never be used in production applications.
How to connect my template with data?
Roles & Permissions for Master user
What is Expression Language?
Creating a JWT
JSON Web Tokens are composed of three sections: a header, a payload (containing a claim set), and a signature. The header and payload are JSON objects, which are serialized to UTF-8 bytes, then encoded using base64url encoding.
The JWT's header, payload, and signature are concatenated with periods (.). As a result, a JWT typically takes the following form:
{Base64url encoded header}.{Base64url encoded payload}.{Base64url encoded signature}Header
Property "alg" defines which signing algorithm is being used. PDF Generator API users HS256. Property "typ" defines the type of token and it is always JWT.
{
"alg": "HS256",
"typ": "JWT"
}Payload
The second part of the token is the payload, which contains the claims or the pieces of information being passed about the user and any metadata required. It is mandatory to specify the following claims:
issuer (iss): Your API key
subject (sub): Workspace identifier (your email address)
You can find your API key and API secret on the Settings page in your PDF Generator API account.
You can also specify the token expiration time (exp) which is a timestamp in seconds since the Epoch (unix epoch time).
It is highly recommended to set the "exp" timestamp for a short period, i.e. a matter of seconds. This way, if a token is intercepted or shared, the token will only be valid for a short period of time.
{
"iss": "ad54aaff89ffdfeff178bb8a8f359b29fcb20edb56250b9f584aa2cb0162ed4a",
"sub": "demo.example@actualreports.com",
"exp": 1586112639
}Signature
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
API_SECRET)Putting all together
The output is three Base64-URL strings separated by dots. The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret.
In the jwt.io it should looks like this:
In case you would like to learn more about the background of the JWT or get more inputs how you can use it, you can visit jwt.io website.
Creating a temporary JWT
You can create a temporary token on the Settings page in your PDF Generator API account. The generated token uses your email address as the subject (sub) value and is valid for 15 minutes.
These test tokens should never be used in production applications.
Related articles you may find helpful
How to connect my template with data?
Roles & Permissions for Master user
What is Expression Language?
Updated on: 06/05/2025
Thank you!