docs: document jwt hook claims (#2281)

gaultier · unatasha8 · web-flow · commit 9d13fea0b26a · 2025-09-02T12:32:55.000+02:00
Update docs/identities/session-to-jwt-cors.mdx

Co-authored-by: unatasha8 &lt;una.cogavin@ory.sh&gt;
diff --git a/docs/identities/session-to-jwt-cors.mdx b/docs/identities/session-to-jwt-cors.mdx
@@ -27,7 +27,7 @@ ory create jwk some-example-set \
   > es256.jwks.json
 ```
 
-Next, we need to create a JsonNet template that will be used to modify the claims of the JWT:
+Next, we need to create a Jsonnet template that will be used to modify the claims of the JWT:
 
 ```jsonnet title="claims.jsonnet"
 local claims = std.extVar('claims');
@@ -42,7 +42,7 @@ local session = std.extVar('session');
 }
 ```
 
-The easiest way to supplies these files to Ory Network is to base64-encode them:
+The easiest way to supply these files to Ory Network is to base64-encode them:
 
 ```shell
 JWKS_B64_ENCODED=$(cat es256.jwks.json | base64 -w 0)
@@ -219,3 +219,279 @@ If the key set contains more than one key, the first key in the list will be use
   ],
 }
 ```
+
+### Customizing JWT claims with webhooks
+
+Sometimes, Jsonnet scripting is not enough to customize the JWT. A network call to a different service is necessary. A typical use
+case is adding custom claims to the tokens based on a separate database or business logic.
+
+This is possible by registering a webhook endpoint in the configuration. This is all done in a separate endpoint:
+`/sessions/whoami-jwt/{templateName}`. Before the token is issued to the client, Ory will call your HTTPS endpoint with
+information about the client requesting the token. Note that the template name is mandatory. This way, your application can at
+runtime use different template names and thus third-party endpoints at will.
+
+:::note
+
+Be aware that this approach is easy but also has numerous disadvantages:
+
+- Added request latency: if the third-party service takes 100 milliseconds to respond to the request, that means that the response
+  time for the `/sessions/whoami-jwt/{templateName}` increases by that much
+- If the third-party service is not available, authentication will fail for the user.
+
+Thus, we recommend creating the JWT yourself if you need to add a lot of dynamic claims.
+
+Alternatively and preferably, you can use
+[distributed/aggregated claims](https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims).
+
+:::
+
+Your endpoint's response to the webhook will be used to customize the JWT token that Ory issues to the client.
+
+Using webhooks is supported for all flows.
+
+If your endpoint is gated behind authentication, ensure that the configuration contains the correct credentials. They will be sent
+in the request when contacting the endpoint.
+
+:::note
+
+The webhook is called before any other logic is executed. If the webhook execution fails, for example if your endpoint is
+unreachable or responds with an HTTP error code, the token exchange will fail for the client.
+
+:::
+
+#### Configuration
+
+Use the Ory CLI to register your webhook endpoint:
+
+```mdx-code-block
+<Tabs>
+  <TabItem value="header-auth" label="With authentication in header" default >
+    <CodeBlock language="shell">{
+`ory patch identity-config --project <project-id> --workspace <workspace-id> \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/url="https://my-example.app/token-hook"' \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/auth/type="api_key"' \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/auth/config/in="header"' \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/auth/config/name="X-API-Key"' \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/auth/config/value="MY API KEY"' \\
+  --format yaml`}
+    </CodeBlock>
+  </TabItem>
+  <TabItem value="cookie-auth" label="With authentication in cookie">
+    <CodeBlock language="shell">{
+`ory patch identity-config --project <project-id> --workspace <workspace-id> \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/url="https://my-example.app/token-hook"' \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/auth/type="api_key"' \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/auth/config/in="cookie"' \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/auth/config/name="X-Cookie-Name"' \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/auth/config/value="MY SECRET COOKIE"' \\
+  --format yaml`}
+    </CodeBlock>
+  </TabItem>
+  <TabItem value="no-auth" label="No authentication">
+    <CodeBlock language="shell">{
+`ory patch identity-config --project <project-id> --workspace <workspace-id> \\
+  --add '/session/whoami/tokenizer/templates/jwt_template_1/claims_hook/url="https://my-example.app/token-hook"' \\
+  --format yaml`}
+    </CodeBlock>
+  </TabItem>
+</Tabs>
+```
+
+Or use the YAML configuration:
+
+```mdx-code-block
+<Tabs>
+  <TabItem value="header-auth" label="With authentication in header" default >
+    <CodeBlock language="yaml">{`
+session:
+  whoami:
+    tokenizer:
+      templates:
+        jwt_template_1:
+          jwks_url: base64://... # A JSON Web Key Set (required)
+          ttl: 1m # 1 minute (defaults to 10 minutes)
+      // highlight-start
+          claims_hook:
+            url: https://my-example.app/token-hook
+            auth:
+              type: api_key
+              config:
+                in: header
+                name: X-API-Key
+                value: "MY API KEY"
+      // highlight-end
+        another_jwt_template:
+          jwks_url: base64://... # A JSON Web Key Set
+          # [...]
+`}
+    </CodeBlock>
+  </TabItem>
+  <TabItem value="cookie-auth" label="With authentication in cookie">
+    <CodeBlock language="yaml">{`
+session:
+  whoami:
+    tokenizer:
+      templates:
+        jwt_template_1:
+          jwks_url: base64://... # A JSON Web Key Set (required)
+          ttl: 1m # 1 minute (defaults to 10 minutes)
+      // highlight-start
+          claims_hook:
+            url: https://my-example.app/token-hook
+            auth:
+              type: api_key
+              config:
+                in: cookie
+                name: X-Cookie-Name
+                value: "MY SECRET COOKIE"
+      // highlight-end
+        another_jwt_template:
+          jwks_url: base64://... # A JSON Web Key Set
+          # [...]
+`}
+    </CodeBlock>
+  </TabItem>
+  <TabItem value="no-auth" label="No authentication">
+    <CodeBlock language="yaml">{`
+session:
+  whoami:
+    tokenizer:
+      templates:
+        jwt_template_1:
+          jwks_url: base64://... # A JSON Web Key Set (required)
+          ttl: 1m # 1 minute (defaults to 10 minutes)
+      // highlight-start
+          claims_hook:
+            url: http://svc.example.com/jwt-webhook
+      // highlight-end
+        another_jwt_template:
+          jwks_url: base64://... # A JSON Web Key Set
+          # [...]
+`}
+    </CodeBlock>
+  </TabItem>
+</Tabs>
+```
+
+#### Webhook payload
+
+Ory will perform a POST request with a JSON payload towards your endpoint as configured, e.g.
+`http://svc.example.com/jwt-webhook`.
+
+```json title="Example token webhook request payload"
+{
+  "request_headers": {
+    "X-Claim-Name": ["a custom claim"]
+  },
+  "request_method": "GET",
+  "request_url": "http://example.com/sessions/whoami-jwt/template_1",
+  "request_cookies": {},
+  "session": {
+    "id": "432caf86-c1d8-401c-978a-8da89133f78b",
+    "active": true,
+    "expires_at": "2025-08-22T16:29:26.579741+02:00",
+    "authenticated_at": "2025-08-21T16:29:26.579741+02:00",
+    "authenticator_assurance_level": "aal1",
+    "authentication_methods": [
+      {
+        "method": "password",
+        "aal": "aal1",
+        "completed_at": "2025-08-21T14:29:26.899803Z"
+      }
+    ],
+    "issued_at": "2025-08-21T16:29:26.579741+02:00",
+    "identity": {
+      "id": "7458af86-c1d8-401c-978a-8da89133f78b",
+      "external_id": "external-id",
+      "schema_id": "default",
+      "schema_url": "http://localhost/schemas/ZGVmYXVsdA",
+      "state": "active",
+      "state_changed_at": "2025-08-21T14:29:26.899788Z",
+      "traits": {},
+      "metadata_public": null,
+      "created_at": "0001-01-01T00:00:00Z",
+      "updated_at": "2025-08-21T16:29:26.900034+02:00",
+      "organization_id": null
+    },
+    "devices": [
+      {
+        "id": "00000000-0000-0000-0000-000000000000",
+        "ip_address": "192.0.2.1:1234",
+        "user_agent": null,
+        "location": ""
+      }
+    ],
+    "tokenized": "eyJhbGciOiJFUzUxMiIsImtpZCI6ImJjN2Y3YWZjLTY3NDItNDI3Yy1iYjllLTE2NGZlMGY4YjZhNyIsInR5cCI6IkpXVCJ9.eyJhYWwiOiJhYWwxIiwiZXhwIjoxNjc1MjA5NjYwLCJleHRlcm5hbF9pZCI6ImV4dGVybmFsLWlkIiwiZm9vIjoiYmFyIiwiaWF0IjoxNjc1MjA5NjAwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0LyIsImp0aSI6IjYwZjdjOGU2LTIxYzMtNGExYi1hMTBhLTRjZjUyNmVhOWMzOCIsIm5iZiI6MTY3NTIwOTYwMCwic2NoZW1hX2lkIjoiZGVmYXVsdCIsInNlY29uZF9jbGFpbSI6MTY3NTIwOTY2MCwic2lkIjoiNDMyY2FmODYtYzFkOC00MDFjLTk3OGEtOGRhODkxMzNmNzhiIiwic3ViIjoiZXh0ZXJuYWwtaWQifQ.AXSrbfjtCvufuZEosTeHbS_oo01MiwdaB3ebS96pb9fO51QkC0rQHadY2hC3Ig4SP2x60NMl-Ff5mlEp4QTY9tPIATwFPbXFs-dBCKlZsLk7RA_s2fi4JXTQJU2WbxdHNGn_W3tL4IsTIQLPrrxXd301c72kDc4TVhLX99kIlasheBas"
+  },
+  "claims": {
+    "exp": 1675209660,
+    "iat": 1675209600,
+    "iss": "http://localhost/",
+    "jti": "eecab9dd-86fe-469a-8c04-ed7e103aea1e",
+    "nbf": 1675209600,
+    "sid": "432caf86-c1d8-401c-978a-8da89133f78b",
+    "sub": "7458af86-c1d8-401c-978a-8da89133f78b"
+  }
+}
+```
+
+Fields prefixed with `request_` contain information from the client's request to the `/sessions/whoami-jwt/{templateName}`
+endpoint.
+
+The HTTP headers, present in the client request and that are in the allow-list (from the configuration field
+`clients.web_hook.header_allowlist`), will be forwarded to the webhook endpoint. In the above example, `X-Claim-Name` is such a
+HTTP header.
+
+#### Responding to the webhook
+
+When handling the webhook in your endpoint, use the request payload to decide how Ory should proceed in the token exchange with
+the client.
+
+To accept the token exchange without modification, return a `204` or `200` HTTP status code without a response body.
+
+To deny the token exchange, reply with a `403` HTTP status code.
+
+To accept the claims without modification, return an empty body with a 204 status code.
+
+To modify the claims of the issued tokens and instruct Ory Identities to proceed with the token exchange, return `200` with a JSON
+response body containing the claims that the final JWT should contain:
+
+```json
+{
+  "claims": {
+    "name": "John Doe",
+    "admin": true
+  }
+}
+```
+
+For the happy path, the response body must be an object containing a key `claims`, whose value is a map of string keys to any
+value. Each key-value in the `claims` object will be added as-is to the final JWT claims.
+
+Responding with any other HTTP status code will abort the token exchange toward the client with an error message. In case of a 40x
+or 50x response code from your endpoint, a response body of any shape can be sent (for example containing an error message or
+code) and this response body will be included in the error sent back to the client on a best effort basis.
+
+#### Updated tokens
+
+Tokens issued by Ory to the client will contain the data from your webhook response:
+
+```json
+{
+  "admin": true,
+  "exp": 1675209660,
+  "iat": 1675209600,
+  "iss": "http://localhost/",
+  "jti": "d4ef10de-bffd-48cb-a9cf-3cab91d4f5c2",
+  "name": "John Doe",
+  "nbf": 1675209600,
+  "sid": "432caf86-c1d8-401c-978a-8da89133f78b",
+  "sub": "7458af86-c1d8-401c-978a-8da89133f78b"
+}
+```
+
+:::note
+
+You cannot override the token subject.
+
+:::
