Encode with Customer Key

1. To get a JWT, create an External Key in Marketing Cloud
2. Select Salt for the Encryption Type. This is the only recommended encryption type for Journey Builder.
3. When creating the External Key, only use characters from the lower ASCII set (space through tilde).
4. Enter the hexidecimal salt into the Salt field.

Convert Salt keys to hexidecimal in the 0x... format (e.g. Hello world becomes 0x48656c6c6f20776f726c64), and save that value in the Salt encryption field. On unix-like systems you can pipe your value into the command xxd -p then just add the leading 0x.

When "useJwt": true in the activity's arguments, the External Key is required and is passed in to the customerKey string. If your application is only registered for a single stack, and you wish to use your application's signature as the signing key, then customerKey is optional.

Within your activity, for each call (save, validate, publish, execute) for which you wish to receive a JWT.

• Set "useJwt": true
• Set "customerKey": "your-encryption-customer-key-here"

For Salt keys, use the original set of bytes (prior to conversion to hexidecimal). Pass the JWT and the key (the original bytes, not hex encoded) into your HS256 JWT validation library.

• Create an External Key in Marketing Cloud
• Encode with JWT Signing Secret