Skip to main content

How to generate a JSON Web Token (JWT)

How to generate a JSON Web Token (JWT)

Last updated: 04-May-2022
Rate this article:


In order to pass the identity of the merchant to the 2Checkout Signature Generation API endpoint, you need to generate a valid JSON Web Token (JWT). This is an Internet standard for creating JSON-based access tokens that assert some number of claims.

The website allows you to decode, verify, and generate JSON Web Tokens.

Recommended resources

JWTs are credentials, which can grant access to resources. Be careful where you paste them! 

Generate a merchant JWT

To generate a merchant JWT, follow the steps below:

1. Before generating a JWT, you need to copy the Buy-link Secret Word from your Merchant Control Panel. Log in to your Control Panel and navigate to Integrations → Webhooks & APISecret word section.

2. Copy the string from the Buy-link Secret Word field to the clipboard.

3. Navigate to the website and start generating the JWT token.

  • In the Debugger section, you need to input data into the sections highlighted in this image.



  • The data in the HEADER section identifies which algorithm and token type are used to generate the signature. For your JWT token, use HMAC-SHA-512 (HS512) and token type JWT:
    • alg: HS512 (string, required) - encryption algorithm;

    • typ: JWT (string, required) - token type;

 "alg" : "HS512",
 "typ" : "JWT"
  • The PAYLOAD section contains a set of claims. The JWT specification defines seven Registered Claim Names which are the standard fields commonly included in tokens. For your JWT, use the following claims:
    • sub: MERCH_CODE (string, required) - subject, the merchant code whom the token refers;

    • iat: 1580915730 (string, required) - issued at, must be current timestamp since the UNIX epoch;

    • exp: 1580915730 (string, optional) - expiration time, must be in UNIX timestamp format from future.

If the expiration time (exp) is not provided, the JWT token expiration time will be calculated from iat + 30 minutes.

All the other fields/claims will be ignored.

  "sub": "MERCH_CODE",
  "iat": 1580912768,
  "exp": 1580916205
  • In the VERIFY SIGNATURE section, you calculate the signature. This is calculated by encoding the header and payload using Base64url encoding and concatenating the two values with a period separator. Then run the resulting string through the cryptographic algorithm specified in the header, which in this case is HMAC-SHA512.
  • For your JWT token, replace the <Buy link secret word> from the example below with your Buy-link Secret Word from step 1.
  base64UrlEncode(header) + "." +
  <Buy link secret word>
  •  You will get the JWT token:

4. Use this JWT token in the future to pass your identity as a merchant to the 2Checkout Signature Generation API endpoint. 

Rate this article:
Logo of Verifone