JWT format

Airlock Gateway Configuration Center assertions must be signed and encrypted using the following supported algorithms:

  • HS512 for signing
  • A256CBC_HS512 for encryption

The JWT requires the following claims:

  • sub – the username can only contain characters from A-Z, a-z, numbers from 0-9 and the special characters '@' , '.' , '-' and '_'
  • roles – an array of one or more Airlock Gateway administrative roles (e.g., airlock-administrator)
  • exp – the expiration time in seconds for the JWT
  •  
    Risk

    Choose a low expiration time value of, e.g., 10 seconds — i.e., long enough to cover typical latencies but short enough to effectively prevent token misuse.

In addition to ensuring the correct JWT structure, retrieve and prepare the JWT secret so it can be used for signing and encryption.