Encode a JWT Using a Customer Key

You can create a customer key, and then use it to encode custom journey requests as JSON Web Tokens (JWTs). By encoding requests as JWTs, your external application can validate that requests issued by custom journeys originate from Marketing Cloud Engagement.

To encode a JWT, you must provide a cryptographic salt. Marketing Cloud Engagement uses this salt to increase the encrypted key’s security.

The salt must be encoded in hexadecimal. You can use command-line programs to convert your salt to hexadecimal. The procedure for converting your salt to hexadecimal depends on your operating system.

  • In Windows PowerShell, enter this command: '<mySalt>' | Format-Hex
  • In macOS, Linux, or Unix terminals, enter this command: echo -n '<mySalt>' | xxd -p

In these commands, replace <mySalt> with your salt string. Both commands return a hexadecimal-encoded string. Add the 0x prefix to the beginning of the hexadecimal string to get a salt value.

For example, the string E9!wU3@0P02l is equivalent to the hexadecimal string 45392177553340305030326c. The complete hexadecimal salt string becomes 0x45392177553340305030326c.

Complete these steps to create a security key to use in Journey Builder.

  1. In Marketing Cloud Engagement Setup, under Data Management, click Key Management.
  2. Click Create.
  3. For Key Type, choose Salt
  4. For Name, enter a name for the key.
  5. For External Key, enter your external key. The value that you enter can only contain ASCII characters.
  6. For Salt, enter the hexadecimal-encoded salt.
  7. Save the key.

When you use the API to create a custom REST activity in a journey, you can require the activity to use the provided salt to encode requests as JWTs.

  1. In the arguments of the custom activity, specify the parameter "useJwt": true.

  2. Set the value of customerKey to equal the external key.

    If your application is only registered for a single stack, you can omit the customerKey parameter. If you do, Marketing Cloud Engagement uses your application’s signature as the signing key.

To decode a JWT, use an HS256 JWT validation library such as jose, JWT.NET, or java-jwt. For Salt keys, pass to the library the JWT and the unencoded salt string, which is the string before conversion to hexadecimal.

This sample journey request body includes a custom REST activity. The custom activity uses a JWT to securely interact with an external application.