For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
DeveloperAcademyCommunityStatus
ReferenceGuides
ReferenceGuides
  • Agent Studio
    • Overview
    • Quickstart Guides
    • Core Concepts
    • Conversation Process
    • Actions
    • Connectors
      • System Connectors
      • HTTP Connectors
        • Basic Auth
        • API Key Auth
        • Bearer Token Auth
        • OAuth 2.0 - Client Credentials
        • OAuth 2.0 - Authorization Code
        • OAuth 2.0 - JWT Bearer Auth
        • OAuth 2.0 - Refresh Token
        • OAuth 2.0 - Password Credentials
        • JWKS Auth
      • Network Allowlisting
    • System Triggers
    • Agent Architect
    • Cookbooks
    • Development and Testing
    • AI Agent Marketplace
    • Developer Tools
  • Agentic AI
    • LLM Fundamentals
    • The Agentic Reasoning Engine
    • Memory Constructs
    • Conversational Context
    • Guardrails
    • Grounding and Hallucinations
    • Continuous Learning
    • LLMs & SLMs
    • Steerability Tools
    • Multilingual Support
  • Core Platform
    • User Identity
    • Moveworks Agent (On-Prem)
    • Approvals Engine
    • Entity Catalog
    • Moveworks Data Objects
    • Security Information and Event Management (SIEM) Logs Overview
DeveloperAcademyCommunityStatus
On this page
  • OAuth 2.0 with JWT Bearer Auth
  • Authentication Options
  • Two-Step Authentication Process
  • Step 1: How We Generate the JWT
  • Step 2: Exchange JWT for an Access Token (if applicable)
  • Step 3: Use the Access Token in API Requests
  • Configuration Fields
Agent StudioConnectorsHTTP Connectors

OAuth 2.0 - JWT Bearer Auth

||View as Markdown|
Was this page helpful?
Edit this page
Previous

OAuth 2.0 - Refresh Token

Next
Built with

OAuth 2.0 with JWT Bearer Auth

The OAuth 2.0 JWT Bearer authentication method allows you to obtain an Access Token using a JWT (JSON Web Token). This JWT represents the user’s identity and permissions and replaces traditional username-password authentication.

Once obtained, the Access Token is used to authenticate API requests as a Bearer Token. When it expires, you can use a new JWT to request a fresh Access Token, maintaining secure access without re-authentication.

Authentication Options

Two-Step Authentication Process

OAuth 2.0 with JWT Bearer authentication follows a two-step process:

  1. Generate a JWT from the provided configuration parameters - We construct a JWT using the issuer, audience, subject, expiry, and additional claims configured by the user.
  2. Exchange the JWT for an Access Token (if applicable) - If a token request URL is provided, the JWT is sent to the authorization server to obtain an Access Token. If no URL is provided, the JWT itself is used as the Bearer Token in API requests.

Step 1: How We Generate the JWT

We generate the JWT based on the configured values in the authentication setup:

1import jwt
2import time
3
4# Example of how the system constructs the JWT
5private_key = config["Jwt Auth Private Key"]
6algorithm = config["Jwt Auth Algorithm"]
7
8payload = {
9    "iss": config["Jwt Auth Claims Issuer"],
10    "sub": config["Jwt Auth Claims Subject"],
11    "aud": config["Jwt Auth Claims Audience"],
12    "iat": int(time.time()),
13    "exp": int(time.time()) + int(config["Jwt Auth Claims Expiry Seconds"]),
14    **config.get("Jwt Auth Additional Claims", {})  # Merging any extra claims
15}
16
17headers = config.get("Jwt Auth Headers", {})
18
19jwt_token = jwt.encode(payload, private_key, algorithm=algorithm, headers=headers)

Step 2: Exchange JWT for an Access Token (if applicable)

If a token request URL is provided, the system will send the JWT to the authorization server and extract the Access Token from the response:

$curl -X POST "$(config['Jwt Auth OAuth2 Access Token Request URL'])" \
>     -H "Content-Type: application/x-www-form-urlencoded" \
>     -d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" \
>     -d "assertion=$jwt_token"

A successful response might look like this:

1{
2    "access_token": "YOUR_ACCESS_TOKEN",
3    "token_type": "Bearer",
4    "expires_in": 3600
5}

The system will extract access_token from this response and use it for subsequent API requests.

If no token request URL is provided, the system will use the JWT itself as the Bearer Token.

Step 3: Use the Access Token in API Requests

Once the Access Token is determined, it is included in API requests:

$curl -X GET "https://api.example.com/data" \
>     -H "Authorization: Bearer $ACCESS_TOKEN"

Where $ACCESS_TOKEN is either:

  • The JWT itself (if no token request URL was provided)
  • The extracted access token from the authorization server’s response

Configuration Fields

To set this up:

  1. Select JWT Auth from the Auth Config dropdown.

  2. Fill in the required fields:

    Field NameField Value
    Jwt Auth Private KeyUpload your Private Key or 256-bit secret. See JWT.io for formatting details.
    Jwt Auth AlgorithmSelect from HS256, RS256, or ES256, as specified by the system you are integrating with.
    Jwt Auth Claims Expiry SecondsSet the expiration time in seconds (e.g., 3600). The exp claim is calculated as iat + this value.
    Jwt Auth Claims IssuerThe iss claim value.
    Jwt Auth Claims AudienceThe aud claim value.
    Jwt Auth Claims SubjectThe sub claim value.
    Jwt Auth HeadersAny additional header claims, such as alg, typ, or kid.
    Jwt Auth Additional ClaimsAny extra payload claims, such as scope or name.
    Assertion Key (optional)Optional key used to pass the JWT assertion. If no key is specified, the standard ‘assertion’ is used.
    Jwt Auth Oauth2 Access Token Request UrlThe full token request URL. If provided, the JWT is sent to this URL to obtain an Access Token.
    Custom Grant Type (Optional)Optionally override the default grant type (urn:ietf:params:oauth:grant-type:jwt-bearer).

For testing and validation, you can use JWT.io. The iat and exp claims are automatically generated and do not need to be manually specified in the configuration.