...
The requestor must ensure that the machine on which the signature is generated uses NTP to synchronise its clock.
The requestor must construct the header and payload for the JWT as specified in https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv3APIHubDocsv5/pages/134938986/JWT+Auth+Specification#JWTedit-v2/180781316#3.-JWT-Auth-Claims-Reference .
The JWT must be signed using the
PS256
algorithm using a private key whose public part has been published on the JWKS.The JWT must be included as a
bearer
token in theauthorization
http header.The https request must be made over mutual tls. The client certificate used to initiate the mutual tls session must have a
DN
andOU
that matches the values placed in the signature.
...
The receiver must ensure that the machine on which the signature is verified uses NTP to synchronise its clock.
The receiver must ensure that the request was received over a mutual tls connection.
The receiver must extract the jwt-auth token from the
authorization
http header.The JWT must verify the signature on the JWT using the
kid
specified in the JWS and the JWKS pre-specified by the sender.The receiver may cache the JWKS for up to ten minutes.
The receiver must verify each of the claims in the JWT has the expected value specified in https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv3APIHubDocsv5/pages/134938986/JWT+Auth+Specification#JWTedit-v2/180781316#3.-JWT-Auth-Claims-Reference .
3. JWT Auth Claims Reference
...