Some of the ISL Online APIs require signed requests. For that purpose we use JWT (described in details in RFC 7519).
The only signature algorithm allowed in JWT by ISL Online APIs is RSASSA-PKCS1-v1.5 with the SHA-256 hash algorithm ("RS256").
The rules of communication still follow the specifications defined in Communication model. The main difference is that the request fields must be sent as a part of the payload in JWT instead of the key-value pairs in GET or POST.
Making a JWT request
The JWT content should be sent via POST method in a JSON format:
{ "jwt" : "jwt_head.jwt_payload.jwt_signature" }
Each JWT request must include these registered claims:
- iss - caller's user ID
- iat - unix timestamp of JWT request
- exp - unix timestamp of request expiry
Additional to registered claims, also a private claim must be included in each JWT request:
- rid - partner ID
Before attempting any JWT API calls, the creation and exchange of certificates must be discussed with ISL Online. This certificate is later used for signing any JWT requests.