Working with PDP JWT Responses

  • Published on May 24, 2026
  • 2 minute(s) read
Prev Next

PlainID supports returning Authorization decisions as signed JWTs, enabling secure and verifiable responses from the Policy Decision Point. To enable this capability, the PDP retrieves a private signing key through the Secret Management Service. Additional configuration is required at both the Policy Authorization Agent (PAA) and Policy Administration Point (PAP) levels.

The sections below explain how to configure these settings, including defining the key source and customizing the Attributes of the signed JWT response.

Scope Level Configuration

Alongside configuring the Secret Management Service and Secret Store in the Policy Authorization Agent (PAA), you must also define JWT-related settings in the PlainID Policy Administration Point.

To create or manage Scopes, refer to Managing Scopes.

JWT Signing Settings

This section outlines how the PDP retrieves the private key used to sign the JWT.

The Secret Store determines where the key is stored. If no value is specified, the default Secret Store is used.
The Path to Key and Key Name specify the exact location of the key within the store. If omitted, default values from the Secret Store configuration or the Scope Client ID may be applied.
See Managing Scope Authentication and Settings for more information.

To configure JWT signing settings:

  1. Specify the Secret Store that contains your signing key. If not defined, the default Secret Store is used.
  2. Provide the Path to Key to indicate where the key is stored. If left blank, the default path from the store configuration is applied.
  3. Specify the Key Name to identify the key. If not defined, the Scope Client ID is used.

JWT Response Settings

This section describes the standard claims and validation parameters included in the JWT.

The KID (Key ID) identifies the signing key and appears in the JWT header. The Audience defines the intended recipient of the token. The X509 Certificate is published so that clients can validate the token signature. The Token Lifetime determines how long the token remains valid.

To configure JWT response settings:

  1. Specify the KID (Key ID) to identify the signing key in the JWT.
  2. Provide the Audience if your application requires an aud claim.
  3. Paste the X509 Certificate that clients use to validate the JWT.
  4. Define the Token Lifetime (EXP in seconds) to control how long the token remains valid.

JWT Response Customization

This section explains how Authorization decisions are embedded within the JWT.

You can decide whether to include the incoming IDP JWT payload or generate a new token. The claim Attribute name determines where the Authorization decision is stored, while the template defines how that decision is structured. The delimiter specifies how multiple values are separated.

To customize the JWT response:

  1. Choose whether to include the Incoming IDP JWT Payload.
  2. Specify the Claim Attribute Name to store the Authorization decision.
  3. Define the Template used to structure the Authorization data (for example: {{asset_type}}:{{asset_id}}:{{action}}).
  4. Select the Item Delimiter to separate multiple values.

By completing these configurations, you determine how the PDP signs JWT responses, how clients validate them, and how Authorization decisions are represented within the token.

Copyright and Trademark

© 2024 PlainID LTD. All rights reserved.

All intellectual property rights in, related to or derived from this material will remain with PlainID Ltd. Reproduction, modification, recompilation or transfer in whole or in part without written permission is prohibited. This material is made available as-is, without any implied warranties, all of which are hereby disclaimed, and PlainID Ltd. shall have no liability in relation hereto. All brand names, product names and trademarks are the property of their respective owners.

Terms of Use Privacy Policy