Anatomy of a JWT request

Have more questions? Submit a request


  • Matt Hoffman
    Comment actions Permalink

    "*Note: If the option 'Allow update of external IDs' is enabled in Zendesk, we'll continue to key off the email even if an external ID is received. If the email and external ID differ, we'll change the ID. "

    Very well explained! Understanding this is crucial for solving many JWT SSO issues.

  • Igor Bakman
    Comment actions Permalink

    Great piece, very informative.

    under what header does the JWT Header goes in the initial POST request? 

  • Dan Beirouty
    Comment actions Permalink

    Hi Igor!

    The JWT header is used in your external script to form the JWT payload. It is the first chunk explained in this article. We have examples of these scripts (in various languages) here if you would like to check the implementations out. You might also find this article handy.

    If you need further help, let us know and we'll be happy to explore your questions in a ticket. Thanks, Igor!

  • Solomon
    Comment actions Permalink

    Well, this would be great if it actually worked.  But it does not unfortunately you provide scripts in languages that are rarely used in todays world.  Here's an attempt at trying to do this with wordpress using php ( a language that is more common ):


    $secret = 'MY RAW SECRET KEY THAT WAS GENERATED IN ZENDESK after selecting SSO';
    $jwt_header = array(
    'type' => 'JWT',
    'alg' => 'HS256'

    $user_name = $user->user_firstname . ' ' . $user->user_lastname;

    $jwt_payload = array(
    'iat' => $_GET['timestamp'],
    'jti' => uniqid($user->ID, true),
    'name' => trim($user_name),
    'email' => $user->user_email

    if (!empty($_GET['locale_id']))
    $jwt_payload['locale_id'] = $_GET['locale_id'];

    return '' . base64_encode(json_encode($jwt_header)) . base64_encode(json_encode($jwt_payload)) . '.' . $secret . '&return_to=' . $_GET['return_to'];

  • Solomon
    Comment actions Permalink

    I've also tried generating an hmac_hash with php and sending that off with the secret key as the 3rd parameter but that doesn't work either:


    $header_string = base64_encode(json_encode($jwt_header));
    $payload_string = base64_encode(json_encode($jwt_payload));
    $hmac = hash_hmac('sha256', $header_string . $payload_string, $secret);

    $redirect = '' . $header_string . $payload_string . '.' . $hmac;


    Not sure if this method ever worked.

  • Solomon
    Comment actions Permalink

    Can anyone explain on how to produce a proper signature?  Have made a few changes here, but the signature is always returning invalid.  Have created a question on stackoverflow with all of the details of my code in it here:

    Can anyone help me please?

  • Rebecca
    Comment actions Permalink

    Hi Solomon - 

    I have been doing some testing on my end and I am able to get this to work using the following JWT PHP script: 

    require_once 'vendor/autoload.php';
    // Log your user in.
    use \Firebase\JWT\JWT;

    $key      = "key_goes_here";
    $subdomain = "subdomain_goes_here";
    $now      = time();

    $token = array(
      "jti"  => md5($now . rand()),
      "iat"  => $now,
      "name"  => 'marklar',
      "email" => ''

    $jwt = JWT::encode($token, $key);
    $location = "https://" . $subdomain . "" . $jwt;
    if(isset($_GET["return_to"])) {
      $location .= "&return_to=" . urlencode($_GET["return_to"]);
    // Redirect
    header("Location: " . $location);

    We have an example of creating a JWS signature in our Java script that might help otherwise I have always found to be an excellent resource for examples and help when implementing JWT. 


Please sign in to leave a comment.

Powered by Zendesk