Anatomy of a JWT request Follow



  • Avatar
    Matt Hoffman (Edited )

    "*Note: If the option 'Allow update of external IDs' is enabled in Zendesk, we'll continue to key off the email even if an external ID is received. If the email and external ID differ, we'll change the ID. "

    Very well explained! Understanding this is crucial for solving many JWT SSO issues.

  • Avatar
    Igor Bakman

    Great piece, very informative.

    under what header does the JWT Header goes in the initial POST request? 

  • Avatar
    Dan B.

    Hi Igor!

    The JWT header is used in your external script to form the JWT payload. It is the first chunk explained in this article. We have examples of these scripts (in various languages) here if you would like to check the implementations out. You might also find this article handy.

    If you need further help, let us know and we'll be happy to explore your questions in a ticket. Thanks, Igor!

  • Avatar

    Well, this would be great if it actually worked.  But it does not unfortunately you provide scripts in languages that are rarely used in todays world.  Here's an attempt at trying to do this with wordpress using php ( a language that is more common ):


    $secret = 'MY RAW SECRET KEY THAT WAS GENERATED IN ZENDESK after selecting SSO';
    $jwt_header = array(
    'type' => 'JWT',
    'alg' => 'HS256'

    $user_name = $user->user_firstname . ' ' . $user->user_lastname;

    $jwt_payload = array(
    'iat' => $_GET['timestamp'],
    'jti' => uniqid($user->ID, true),
    'name' => trim($user_name),
    'email' => $user->user_email

    if (!empty($_GET['locale_id']))
    $jwt_payload['locale_id'] = $_GET['locale_id'];

    return '' . base64_encode(json_encode($jwt_header)) . base64_encode(json_encode($jwt_payload)) . '.' . $secret . '&return_to=' . $_GET['return_to'];

  • Avatar

    I've also tried generating an hmac_hash with php and sending that off with the secret key as the 3rd parameter but that doesn't work either:


    $header_string = base64_encode(json_encode($jwt_header));
    $payload_string = base64_encode(json_encode($jwt_payload));
    $hmac = hash_hmac('sha256', $header_string . $payload_string, $secret);

    $redirect = '' . $header_string . $payload_string . '.' . $hmac;


    Not sure if this method ever worked.

  • Avatar

    Can anyone explain on how to produce a proper signature?  Have made a few changes here, but the signature is always returning invalid.  Have created a question on stackoverflow with all of the details of my code in it here:

    Can anyone help me please?

  • Avatar

    Hi Solomon - 

    I have been doing some testing on my end and I am able to get this to work using the following JWT PHP script: 

    require_once 'vendor/autoload.php';
    // Log your user in.
    use \Firebase\JWT\JWT;

    $key      = "key_goes_here";
    $subdomain = "subdomain_goes_here";
    $now      = time();

    $token = array(
      "jti"  => md5($now . rand()),
      "iat"  => $now,
      "name"  => 'marklar',
      "email" => ''

    $jwt = JWT::encode($token, $key);
    $location = "https://" . $subdomain . "" . $jwt;
    if(isset($_GET["return_to"])) {
      $location .= "&return_to=" . urlencode($_GET["return_to"]);
    // Redirect
    header("Location: " . $location);

    We have an example of creating a JWS signature in our Java script that might help otherwise I have always found to be an excellent resource for examples and help when implementing JWT. 

Please sign in to leave a comment.

Powered by Zendesk