--- title: "Generate a JWT for mobile user authentication | Nutrient" canonical_url: "https://www.nutrient.io/guides/document-engine/viewer/client-authentication/generate-a-jwt-for-mobile/" md_url: "https://www.nutrient.io/guides/document-engine/viewer/client-authentication/generate-a-jwt-for-mobile.md" last_updated: "2026-06-09T10:25:14.404Z" description: "Learn to generate a JSON Web Token (JWT) for mobile user authentication, ensuring proper claims and cryptographic algorithms for secure document conversion." --- # Generate a JWT for mobile user authentication Our [Android](https://www.nutrient.io/guides/android/features/office-conversion.md) and [iOS](https://www.nutrient.io/guides/ios/features/office-conversion.md) SDKs let you use your running Document Engine instance for converting Office documents to PDFs. This API also uses the JSON Web Token ([JWT](https://jwt.io/)) format for authentication, but it needs a different set of claims than our document API does. Keep the following in mind when generating a token for mobile conversion: - It has to include the standard claim `"exp"`, which sets the deadline for the validity of the token. This needs to be a non-negative number using the [Unix “Seconds Since the Epoch” timestamp format](http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_15). - It has to include the custom `"sha256"` claim, containing the SHA-256 of the Office file you’re planning to convert. This is used so that each token is only able to convert a single document. - It has to be signed using an asymmetric cryptographic algorithm. Document Engine supports the algorithms RS256, RS512, ES256, and ES512. See [RFC 7518](https://www.ietf.org/rfc/rfc7518.html#section-3) for details about specific algorithms. ## Generating tokens The following example shows the creation of a JWT in JavaScript using the [`jsonwebtoken`](https://github.com/auth0/node-jsonwebtoken) library. 1. Create a key via `ssh-keygen`: ```shell ssh-keygen -t rsa -b 4096 -f jwtRS256.key # Enter your passphrase. # Get the public key in PEM format: openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256_pub.pem # If the above command fails because newer versions of `ssh-keygen` output a different format, # convert the key to PEM like this and then repeat the `openssl` command. ssh-keygen -p -m PEM -t rsa -b 4096 -f jwtRS256.key openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256_pub.pem ``` The private key (`jwtRS256.key`) is used to sign the tokens you hand out to the clients. The public key (`jwtRS256_pub.pem`) needs to be added as a `JWT_PUBLIC_KEY` in [Document Engine’s configuration](https://www.nutrient.io/guides/document-engine/configuration/options.md) so that the server will be able to validate the tokens’ signatures but won’t be able to create valid signatures. This example assumes you chose the `RS256` algorithm as the `JWT_ALGORITHM` in Document Engine’s configuration. If you want to quickly test Nutrient Web SDK with your application, you can also use the key from our [example apps](https://github.com/PSPDFKit/pspdfkit-server-example-nodejs/blob/master/config/jwt.pem) (passphrase: _secret_). Make sure to change to a self-generated key before going into production. 2. Install the `jsonwebtoken` dependency: ```shell npm install --save jsonwebtoken ``` 3. Read the private key so that it can be used to sign JWTs. In the claims, pass the SHA-256 of the Office file you’re planning to convert, along with the expiration. You can then use the resulting token in your application: ```js const fs = require("fs"); const jwt = require("jsonwebtoken"); const key = fs.readFileSync("./jwtRS256.key"); const token = jwt.sign({sha256: ""}, key, { algorithm: "RS256", expiresIn: 60 * 60 // 1 hour — this will set the `exp` claim for us. }); ``` --- ## Related pages - [Validate a JWT](/guides/document-engine/viewer/client-authentication/validate-a-jwt.md) - [Authentication flow](/guides/document-engine/viewer/client-authentication.md) - [Generate a JWT](/guides/document-engine/viewer/client-authentication/generate-a-jwt.md)