> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/nfc-wallet/nfc-wallet-backend/card-enrollment/build-authentication-token.md).

# Build authentication token

## Overview

The digital wallet backend must build an authentication token in the following cases:

* To support green flow enrollment.
* To provide additional wallet data (issuer risk scoring).

The digital wallet backend signs the authentication token with its private key.

NFC Wallet backend validates the token with the corresponding public key provided during onboarding.

{% hint style="warning" %}
Build the authentication token on the digital wallet backend. Then pass it to the digital wallet application.
{% endhint %}

### Green flow enrollment

The token proves that issuer has previously authenticated the end user and approved the Tokenization request.

### Additional wallet data

The authentication token lets the digital wallet provide additional data securely. It helps ensure that no intermediary alters the additional data.

See [Provide additional wallet data](/nfc-wallet/nfc-wallet-backend/card-enrollment/build-authentication-token/provide-additional-wallet-data.md).

### Authentication token requirements

The authentication token is a JWT ([RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519)).

{% hint style="info" %}
JWT is a standard format for transmitting signed claims between systems.
{% endhint %}

#### Supported algorithms

NFC Wallet backend supports these signature algorithms:

* `RS256`
* `PS256`
* `PS512`

#### JWT format

A JWT contains three Base64URL-encoded parts separated by dots (`.`):

* Header
* Payload
* Signature

The compact format is:

`<header>.<payload>.<signature>`

#### Header

The header defines the token type and signature algorithm.

`kid` is required. NFC Wallet backend uses it to select the correct public key.

Header example:

{% code title="JWT header" expandable="true" %}

```json
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "12345abcde"
}
```

{% endcode %}

Base64URL-encode the header as a single line before generating the signature.

#### Payload

The payload supports these claims:

<table><thead><tr><th width="133.22216796875">Field</th><th width="146.77777099609375">Required</th><th>Description</th></tr></thead><tbody><tr><td><code>iss</code></td><td>Required</td><td>Issuer identifier. Use the <code>issuerId</code> assigned during onboarding.</td></tr><tr><td><code>sub</code></td><td>Conditional</td><td>Required only if <code>nonce</code> is present in the encrypted card data. Set the value to the SHA-256 hash of the <code>nonce</code>.</td></tr><tr><td><code>iat</code></td><td>Required</td><td>Token issuance time, formatted as defined in <a href="https://datatracker.ietf.org/doc/html/rfc7519">RFC 7519</a>.</td></tr><tr><td><code>exp</code></td><td>Required</td><td>Token expiration time, formatted as defined in <a href="https://datatracker.ietf.org/doc/html/rfc7519">RFC 7519</a>.</td></tr><tr><td><code>wallet</code></td><td>Optional</td><td>Additional wallet data in JSON payload format.<br>See <a href="/spaces/1qH2BUpGoh4ljBdsqlZq/pages/cd1Jlu0AURmIb1YVehEd">Provide additional wallet data</a>.</td></tr></tbody></table>

Payload example:

{% code title="JWT payload" expandable="true" %}

```json
{
  "iat": 1456815010,
  "exp": 1456851010,
  "iss": "acmeBank",
  "sub": "b776ce1e1b00be3f03c7fff59d872c32cfd65cc4377766f47af84f48ea8925f2"
}
```

{% endcode %}

> In the example above, `sub` is `b776ce1e1b00be3f03c7fff59d872c32cfd65cc4377766f47af84f48ea8925f2`. It is the SHA-256 hash of the `nonce` value `abdda9cfbe2fdce335290773ba6f56a9c5ebe64910`.

#### Signature

Compute the signature over the Base64URL-encoded header and payload with the issuer backend private key.

NFC Wallet backend validates the signature with the public key provided during onboarding.

The final JWT is the concatenation of the encoded header, payload, and signature, separated by dots.

#### Generate the JWT

You can use any JWT library that supports RSA signatures and custom headers.

This example uses the `jose4j` Java library:

{% code title="GenerateJwt.java" %}

```java
private static String generateJwt() throws Exception {
    JwtClaims claims = new JwtClaims();
    claims.setIssuer(issuerId);
    claims.setExpirationTimeMinutesInTheFuture(5);
    claims.setIssuedAtToNow();

    if (subject != null) {
        claims.setSubject(subject);
    }

    JsonWebSignature jws = new JsonWebSignature();
    jws.setPayload(claims.toJson());
    jws.setKey(privateKey);
    jws.setHeader("typ", "JWT");
    jws.setHeader("kid", keyId);
    jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);

    return jws.getCompactSerialization();
}
```

{% endcode %}

{% hint style="info" %}
See [JWT libraries by language](https://jwt.io/#libraries-io) for supported implementations.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.payments.thalescloud.io/nfc-wallet/nfc-wallet-backend/card-enrollment/build-authentication-token.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.