Securing your API integrations and webhook communications is straightforward with JSON Web Token (JWT) authentication in Marketing Cloud. JWT ensures that incoming webhook calls genuinely originate from Marketing Cloud and that the data hasn't been altered in transit, adding a critical layer of protection for sensitive customer information and the reliability of your automated workflows.
For organizations with rigorous security standards or those managing sensitive customer data, JWT authentication is especially beneficial, offering cryptographic proof of message authenticity and blocking unauthorized access to your API endpoints.
Maropost supports JSON Web Tokens (JWT) as a method of authorizing data exchange, a proven approach for transmitting information securely between systems.
Since JWTs can be signed using mechanisms such as public/private key pairs, you can trust that any payload Maropost delivers via a webhook callback is authentically from us. The signature is also derived from both the header and the payload, meaning you can independently verify that the content remains unmodified.
JWT enforcement is optional in Maropost; it's not required by default. You can, however, enable JWT authentication in the following areas:
- Journeys: HTTP POST action
- Data Journeys: HTTP Request action
What is JSON Web Token (JWT)?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. The information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Generating and Using JWT
Follow the steps shown below to generate a JSON web token:
- To access the JSON page, go to the navigation panel and click on Settings.
- Choose JSON Web Token under the Connections category.
- Click on the Generate JWT button.
The JWT gets generated and displayed on the page.
Note: You can refresh the JWT by clicking the "Re-generate JWT" button. This will render a new public key that will be used in all subsequent webhook calls.
Once generated, the JWT is displayed on the JSON Web Token page. Copy the token exactly as it's displayed on the page and paste it into your system code that validates Maropost's calls to your API endpoint.
Authenticating JWT
Maropost uses the public/private key pair to generate the JWT using the RS256 encryption algorithm. The JWT is included in the header of the HTTPS POST call that Maropost makes to your API endpoint.
Decode the JWT using the public key to verify the signature.
Maropost includes the following claims in the JWT:
- jti: A unique identifier generated each time a webhook call is made to your API endpoint.
- exp: The expiration time on or after which the JWT must not be accepted for processing.
- nbf: The time before which the JWT must not be accepted for processing.
- iss: The issuer of the JWT, which in this case will always be "Maropost Inc."
- iat: The time at which the JWT is issued. This claim can be used to determine the age of the JWT.
- sub: The subject of this JWT. In the previous example, "journeys" indicates that the HTTPS POST payload was triggered by a journey.