Human Capital Management Blogs by SAP
Get insider info on SAP SuccessFactors HCM suite for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

JWT-based Authentication

The basic thing you need to understand JWT-based authentication is that you’re dealing with an encrypted JSON which we’ll call “token”. This token has all the information required for the back-end system to understand who you are and if, indeed, you are who you say you are.

So, let’s get into it.

Step 1 - Generate a private key.

You can generate a private key with the openssl tool using Gitbash


openssl genrsa -out private_jwt.key 2048


2. Generate a public key.

Again, we use openssl to generate the public key for the private key created in above scenario 1


openssl rsa -in private_jwt.key -pubout -outform PEM -out


The public key is stored in the file It is used later by Commissions to verify the JWT token signature during the logon.
Step 2. Select Commissions user with authentication type JWT and upload the public key.

Go to SAP Commission > User Administration > Select your User and follow the steps

Step 3. Generate a JWT token.

Install Node and NPM to get jwtgen Package (


npm i jwtgen


Command to generate JWT Token


jwtgen -e 3000 -c "sub=D00000000000001" -c "aud=https://<tenantid>" -a RS256 -p JWT-Auth.key


Note : sub = your userId of SAP commissions

Screenshot for JWT Token

SAP Commissions performs the following validations on the JWT token:

    • The aud claim in the token is equal to the Commissions server URL.
    • The iss claim in the token contains a Commissions user id of authentication type JWT.
    • The token signature is successfully verified with the public key stored with the Commissions user.
    • The token is valid and not yet expired.

Step 4. Authenticate against Commissions with the JWT token.

GET Method :

If this API call is successful, a response with {} will appear.

Known Error

    • Public Key is limited to one user for JWT Authentication

Decoded Headers


  "typ": "JWT",
  "alg": "RS256"


Decoded Payload


  "iat": 1616780333,
  "exp": 1616783333,
  "sub": "D00000000000001",
  "aud": "https://<tenantid>"