Asymmetric JWT signing for enterprise-grade webhook and request authentication
jti
(UUIDv7) prevents token reuseiat
, nbf
, and exp
claims enforce temporal validityHeader | Type | Purpose | Validation Required |
---|---|---|---|
alg | String | Signing algorithm (RS256) | Must be RS256 |
typ | String | Token type (JWT) | Must be JWT |
kid | String | Key ID for key pair lookup | Must match a key in your JWKS |
Claim | Type | Purpose | Validation Required |
---|---|---|---|
sub | String | Org ID | Must match your application’s Bland Org ID |
jti | UUIDv7 | Unique token identifier | Track to prevent replay attacks |
iat | Unix timestamp | Issued at time | Reject if future (clock skew) |
nbf | Unix timestamp | Not valid before | Reject if current time < nbf |
exp | Unix timestamp | Expiration time | Reject if expired |
iss | String | Issuer URL | Must match https://api.bland.ai/orgs/{org_id} |
aud | String | Intended recipient | Must match your service identifier |
svc:webhook-processor
)kid
kid
:
kid
for investigationexp
, cannot forge new requestsjti
uniqueness within the token’s lifetimekid
iat
(issued-at) timesERR_JWKS_NO_MATCHING_KEY errors
Token expired errors during normal operations
Replay detection triggering on legitimate requests
jti
Cannot verify after emergency revocation