Small and medium business | Business Central, N...

Create JWT Token with Sign Key

(6) Share

Report

Posted on by WG-30101256-0

Is there a way to create a JWT token and sign it with a sign key in AL?
Background: There are APIs that expect a JWT token but do not have an endpoint to generate it. Instead, the client has the signature key and generates the token itself if required. I have not yet found a solution for this type of API in AL. I have built the following solution myself, which I think would be good to have in the standard (possibly System Application?):

    procedure CreateJWT(PayloadJsonInfo: JsonObject; SignKey: Text; Algorithm: Text; ExpireIn: Integer) JWTToken: Text
    var
        CryptographyMgt: Codeunit "Cryptography Management";
        BaseConvert: Codeunit "Base64 Convert";
        Header, PayLoad, Signature : Text;
        JWTHeaderLbl: Label '{"alg":"%1","typ":"JWT"}', Locked = true;
        JWTIssuedAtLbl: Label 'iat', Locked = true;
        JWTExpireInLbl: Label 'exp', Locked = true;
    begin
        PayloadJsonInfo.Add(JWTIssuedAtLbl, GetCurentDateTimeAsUnixTimeStamp());
        PayloadJsonInfo.Add(JWTExpireInLbl, GetCurentDateTimeAsUnixTimeStamp() + ExpireIn);
        PayloadJsonInfo.WriteTo(PayLoad);
        Header := BaseConvert.ToBase64(StrSubstNo(JWTHeaderLbl, Algorithm)).Replace('=', '');
        PayLoad := BaseConvert.ToBase64(PayLoad).Replace('=', '');
        JWTToken := Header + '.' + PayLoad;
        Signature := CryptographyMgt.GenerateHashAsBase64String(JWTToken, SignKey, Enum::"Hash Algorithm"::SHA256);
        JWTToken := JWTToken + '.' + Signature.Replace('=', '').Replace('/', '_').Replace('+', '-');
    end;

I have the same question (0)

All responses (6)

Answers (0)

Ramesh Kumar 7,527 Super User 2025 Season 2 on at

Like (0)

Report

Creating a JWT (JSON Web Token) in AL (Dynamics 365 Business Central) can be a bit tricky since AL doesn’t have built-in support for JWT creation.

Payload and Header Setup and Base64 Encoding:

procedure CreateJWT(PayloadJsonInfo: JsonObject; SignKey: Text; Algorithm: Text; ExpireIn: Integer) JWTToken: Text
var
CryptographyMgt: Codeunit "Cryptography Management";
BaseConvert: Codeunit "Base64 Convert";
Header, PayLoad, Signature : Text;
JWTHeaderLbl: Label '{"alg":"%1","typ":"JWT"}', Locked = true;
JWTIssuedAtLbl: Label 'iat', Locked = true;
JWTExpireInLbl: Label 'exp', Locked = true;
begin
// Add issued-at (iat) and expiration (exp) timestamps to the payload
PayloadJsonInfo.Add(JWTIssuedAtLbl, GetCurentDateTimeAsUnixTimeStamp());
PayloadJsonInfo.Add(JWTExpireInLbl, GetCurentDateTimeAsUnixTimeStamp() + ExpireIn);

// Convert the JSON object to a string for the payload
PayloadJsonInfo.WriteTo(PayLoad);

// Base64 encode the header and payload
Header := BaseConvert.ToBase64(StrSubstNo(JWTHeaderLbl, Algorithm)).Replace('=', ''); // Remove padding
PayLoad := BaseConvert.ToBase64(PayLoad).Replace('=', ''); // Remove padding

// Create the JWT token (header + payload)
JWTToken := Header + '.' + PayLoad;

// Generate the signature using the hashing algorithm and secret key
Signature := CryptographyMgt.GenerateHashAsBase64String(JWTToken, SignKey, Enum::"Hash Algorithm"::SHA256);

// URL-safe Base64 encoding of the signature (replace characters)
JWTToken := JWTToken + '.' + Signature.Replace('=', '').Replace('/', '_').Replace('+', '-');
end;

Thanks

Ramesh

If this helped you, please check the box Does this answer your question?

Was this reply helpful? Yes No
WG-30101256-0 20 on at

Like (1)

Report

@Ramesh Kumar: This is exactly the same function that I posted in the question! By the way, this function is created by me. You have now added comments to the same function and are asking if it is the solution. NO! The question was not how to solve it, but whether it can be adopted in the standard so that not everyone has to develop it themselves.

Was this reply helpful? Yes No
Gerardo Rentería Ga... 25,225 Most Valuable Professional on at

Like (1)

Report

Hi, good day
I hope this can help you, and give you some hints.

A deeper dive into Business Central API and OAuth2 tokens

OAuth 2.0 / JWT in AL

Best Regards
Gerardo

Was this reply helpful? Yes No
WG-30101256-0 20 on at

Like (1)

Report

gdrenteria : Both posts refer to how I deal with a JWT token that I receive from an external source (not AL). But what if I need to create one myself? I am given the signature key and I have to create the token myself and sign it with the private key (e.g. connections to the Cosmos DB). The solution is not difficult and is posted as part of the question. The question is more an idea: It is about implementing it as a standard, as it is possible in almost all other programming languages.

Before other people answer like this: Please read the post and, if necessary, this answer before you give an answer. And if you are not familiar with techniques like encryption and signing, please don't answer.

Was this reply helpful? Yes No
Ramesh Kumar 7,527 Super User 2025 Season 2 on at

Like (0)

Report

Hi,

I just wanted to mention that I've seen customers or partners use JWT tokens to protect data on external platforms like websites or vendor/customer portals, not for AL sign-ins.

Sorry, I'm not sure at this point. Please do update me if you figure it out.

Thanks

Ramesh

Was this reply helpful? Yes No
Suggested answer

Khushbu Rajvi. 20,441 Super User 2025 Season 2 on at

Like (1)

Report

Hope this helps: https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization

Was this reply helpful? Yes No