Encode Custom Activities Using a JWT

Marketing Cloud uses JSON Web Tokens (JWTs) to validate the identity of API calls to your custom activities. Use a JWT for activities that retrieve sensitive data or perform sensitive actions.

JWTs are encoded, but they aren’t encrypted. Encryption is handled at the transport layer using Secure Sockets Layer (SSL). To use a JWT, your application must have SSL enabled.

When your application calls the API, Marketing Cloud posts the encoded JWT to the activity’s endpoint. The JWT lets your application know that the user calling the API is an authorized Marketing Cloud user.

You can obtain a JWT by providing your customer key. Alternatively, you can use your JWT signing secret as a signing key.

Use an external key from Marketing Cloud as the signing key. Pass the external key into the customerKey field in the body of the custom activity request. (The external key and customer key are synonyms.)

You can use the JWT Signing Secret for your application as a fallback signing key. Use this method when the customerKey isn’t included in the custom activity request body. This method is helpful in situations where an integration partner hosts an application used by multiple Marketing Cloud users. By passing the Signing Secret, you can determine the origin of a custom activity request.