> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/nfc-wallet/nfc-wallet-backend/card-enrollment/build-authentication-token-old.md). # Build authentication token (old) ### Overview To support green flow enrollment, the issuer backend must build an authentication token. The token proves that the issuer previously authenticated the end user and approved the Tokenization request. Sign the authentication token with the issuer backend private key. NFC Wallet backend validates the token with the corresponding public key provided during onboarding. {% hint style="warning" %} Build the authentication token on the issuer backend. Then pass it to the issuer application. {% endhint %} ### Authentication token requirements The authentication token is a JWT ([RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519)). {% hint style="info" %} JWT is a standard format for transmitting signed claims between systems. {% endhint %} #### Supported algorithms NFC Wallet backend supports these signature algorithms: * `RS256` * `PS256` * `PS512` #### JWT format A JWT contains three Base64URL-encoded parts separated by dots (`.`): * Header * Payload * Signature The compact format is: `
..` #### Header The header defines the token type and signature algorithm. `kid` is required. NFC Wallet backend uses it to select the correct public key. Header example: {% code title="JWT header" expandable="true" %} ```json { "typ": "JWT", "alg": "RS256", "kid": "12345abcde" } ``` {% endcode %} Base64URL-encode the header as a single line before generating the signature. #### Payload The payload supports these claims: | Field | Requirement | Description | | ----- | ----------- | --------------------------------------------------------------------------------------------------------------------------- | | `iss` | Required | Issuer identifier. Use the `issuerId` assigned during onboarding. | | `sub` | Conditional | Provide this claim only if `nonce` is present in the encrypted card data. Set the value to the SHA-256 hash of the `nonce`. | | `iat` | Required | Token issuance time, formatted as defined in [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519). | | `exp` | Required | Token expiration time, formatted as defined in [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519). | Payload example: {% code title="JWT payload" expandable="true" %} ```json { "iat": 1456815010, "exp": 1456851010, "iss": "acmeBank", "sub": "b776ce1e1b00be3f03c7fff59d872c32cfd65cc4377766f47af84f48ea8925f2" } ``` {% endcode %} In this example, `sub` contains the SHA-256 hash of the `nonce` value `abdda9cfbe2fdce335290773ba6f56a9c5ebe64910`. #### Signature Compute the signature over the Base64URL-encoded header and payload with the issuer backend private key. NFC Wallet backend validates the signature with the public key provided during onboarding. The final JWT is the concatenation of the encoded header, payload, and signature, separated by dots. #### Generate the JWT You can use any JWT library that supports RSA signatures and custom headers. This example uses the `jose4j` Java library: {% code title="GenerateJwt.java" %} ```java private static String generateJwt() throws Exception { JwtClaims claims = new JwtClaims(); claims.setIssuer(issuerId); claims.setExpirationTimeMinutesInTheFuture(5); claims.setIssuedAtToNow(); if (subject != null) { claims.setSubject(subject); } JsonWebSignature jws = new JsonWebSignature(); jws.setPayload(claims.toJson()); jws.setKey(privateKey); jws.setHeader("typ", "JWT"); jws.setHeader("kid", keyId); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256); return jws.getCompactSerialization(); } ``` {% endcode %} {% hint style="info" %} See [JWT libraries by language](https://jwt.io/#libraries-io) for supported implementations. {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.payments.thalescloud.io/nfc-wallet/nfc-wallet-backend/card-enrollment/build-authentication-token-old.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.