JavaScript is disabled. Some features may not work. You can also read the static version: View text version

JWT Encryption Guide

Juspay uses JWS to sign request payloads, and JWE to encrypt the signed request. These are created by using 2 sets of Private Key & Public Keys issued for merchants and Juspay. Merchants will use their private key to sign the API request payload and then encrypt the signed API request with Juspay’s public key. Juspay will use its private key to decrypt the message and Merchant’s public key to verify the signature.

Keys Generation

How to Generate 2 sets of Public Private Key required for JWT Authentication:

Login to Juspay Portal (Sandbox: https://sandbox.portal.juspay.in; Production: https://portal.juspay.in )
Navigate to Payments » Settings » Security module
Scroll Down to JWT Keys section
Click on Upload New JWT
If merchants do not have a public-private key pair generated,
click on option 1 - I don’t have the JWT Keys, I want to auto generate the keys.

Auto Generating the Keys
- Juspay public key and merchant’s private key will be auto downloaded as a zip file in the merchant's default browser download folder.
- Juspay will never store a merchant's private key even though the keys are auto generated.
If a merchant has already generated their set of public-private keys, they can click on option 2 - I have the JWT Keys already, I want to manually upload the Public Key.

Uploading Public Key Manually
- Merchants will have to upload their private key in the upload file section.
- Post upload, Juspay’s public Key will be auto downloaded in the merchant's default browser download folder.
At the end of this step, merchants will have 2 keys - Merchant’s private key and Juspay’s public key which will be used for signing and encryption.
Kindly keep a note of Key Uuid for the JWT keys to be used for encryption and signing. This will be displayed on dashboard post generation.

JWT Encryption

Steps to construct a JWT Payload

Every request sent to Juspay via JWT authentication must be signed and encrypted.

Create the JWS Header. The algorithm used to sign the message body is RSA-OAEP.
JWS key id is the Key uuid(Dashboard Key UUID) for JWT keys.
Sign the payload message by Merchant's private key and build the JWS serialization string.
Create the JWE Header. The algorithm used to encrypt the message body is A256GCM while the algorithm used to encrypt the encryption key is RSA_OAEP_256.
Encrypt the JWS serialization string by Juspay’s public certificate and build the JWE serialization string.

JWT Encryption Guide

JWT Encryption

JWT Decryption

Encryption Logic

Decryption Logic

Encrypted API Samples

1. Session API

2. Order Status API

3. Refund Order API

4. Mandate Execution API