Encode Custom Activities Using a JWT

Marketing Cloud Engagement uses JSON Web Tokens (JWTs) to validate the identity of API calls to your custom activities. Use a JWT for activities that retrieve sensitive data or perform sensitive actions.

JWTs are encoded, but they aren’t encrypted. Encryption is handled at the transport layer using Secure Sockets Layer (SSL). To use a JWT, your application must have SSL enabled.

When your application calls the API, Marketing Cloud Engagement posts the encoded JWT to the activity’s endpoint. The JWT lets your application know that the user calling the API is an authorized user.

You can obtain a JWT by providing your customer key. Alternatively, you can use your JWT signing secret as a signing key.

Use an external key the signing key. Pass the external key into the customerKey field in the body of the custom activity request. (The external key and customer key are synonyms.)

You can use the JWT Signing Secret for your application as a fallback signing key. Use this method when the customerKey isn’t included in the custom activity request body. This method is helpful in situations where an integration partner hosts an application used by multiple users. By passing the Signing Secret, you can determine the origin of a custom activity request.