Link Search Menu Expand Document

How to create a Json Web Token with ORGiD ?

The authentication in the Winding Tree protocol relies on the JSON Web Token (JWT) IETF RFC 7519, which is in use in many commercial applications. In the Winding Tree protocol, the access token is self-generated by the requesting party.

Create a Public/Private key pair

For security reasons, it is important to not leave on a server the Ethereum private key that is controlling your ORGiD. When connecting to APIs, you need to create a separate authentication key pairs for your server that will be allowed to act on behalf of your organization. A good security practise is to rotate the server key pair periodically.

In the Winding Tree ecosystem, the keys in used are asymetric keys using the scep256k1 elliptic curve.

using OpenSSL

-How to install openSSL on windows:video

-After installation of Openssl on your computer, go to search and type cmd to open command prompt.

Openssl version
openssl ecparam -name secp256k1 -genkey -noout -out secp256k1.pem
openssl ec -in secp256k1.pem -pubout -out

-This will create two files, File secp256k1.pem containing the private key and file containing the public key.

-Now, you can search for the file by filenames and open them in Notepad or VS code to view the key.


openssl ecparam -name secp256k1 -genkey -noout -out secp256k1.pem
openssl ec -in secp256k1.pem -pubout -out

Using Python

import ecdsa
# Generate a key pair
signing_key = ecdsa.SigningKey.generate(curve=ecdsa.SECP256k1)
verifying_key = signing_key.verifying_key

# Get the content of the PEM key

Register your Public Key in your organization

You can register the created public key with your organization.

-Open your Organization on Winding Tree. Winding Tree Marketplace.

-Scroll down and you’ll see “Add Public Key” option. Click on it and a form will open.

-In field “Key Type” select secp256k1

-In field “Key in PEM format”, enter the public key without any line break.

-In field “unique key ID” enter any ID of your choice and make a note of it (It will be needed while creating the JWT). You can also enter the default value as “webserver”.

-Save the form and pay the fee through your Ethereum wallet to complete the proccess. Add Public Key

Create a JWT Token

Using NodeJS

const { JWK, JWT } = require('jose');

const privPem = `-----BEGIN EC PARAMETERS-----
<EC Parameters here>
<EC Private Key goes here>
-----END EC PRIVATE KEY-----`;

const genOptions = (privKey, origin, recipient, fragment = 'webserver', time = '1 year', scope = undefined) => ({
    priv: privKey,
    alg: 'ES256K',
    aud: `did:orgid:${recipient}`,
    iss: `did:orgid:${origin}`,
    fragment: fragment,
    exp: time,
    scope: scope,

const createToken = (options) => {
  const priv = JWK.asKey(
        alg: options.alg,
        use: 'sig'

  return JWT.sign(
      ...(options.scope ? { scope: options.scope } : {})
      audience: options.aud,
      ...(options.iss ? { issuer: `${options.iss}${options.fragment ? '#' + options.fragment : ''}` } : {}),
      expiresIn: options.exp,
      kid: false,
      header: { typ: 'JWT' }

const options = genOptions(
    '0x..<your orgid>..',
    '0x..<recipient orgid>..',
const jwtToken = createToken(options);


Note: Enter your Organization’s unique key ID in place of ‘webserver’ in the above code. You had entered the unique key ID while adding the public key.

Using Python

import jwt
from jwt.contrib.algorithms.py_ecdsa import ECAlgorithm
from datetime import datetime

# Define the Addresses of the ORG.IDs
recipients = {'my_recipient': '0x...'}

# Define some variables
tokens = {}
private_key = signing_key.to_pem().decode("ascii")
now = int(datetime.utcnow().timestamp())

# Register the ES256K algorithm as it is not recognized by default
jwt.register_algorithm('ES256K', ECAlgorithm(ECAlgorithm.SHA256))

# Walk through the list of recipients
for name in recipients:

    # Create a token
    tokens[name] = jwt.encode(
            'iss': 'did:orgid:%s#webserver' % orgid,   # The reference of the Public Key
            'aud': 'did:orgid:%s' % recipients[name],  # The recipient of your token
            'iat': now,                                # The date of token issuance
            'exp': now + 60*60*24                      # Set the token to expire in 24h

    print("JWT for %s: %s\n" % (name, tokens[name]))