Need to use HS256 algorithm for sign with Jason Web Token (JWT)


We need to integrate with external system from Pega 7.3.1 using Jason Web Token (JWT). In Pega Token Profile (DATA-ADMIN-SECURITY-TOKEN) instance, we can only select asymmetric algorithm attached below:

Customer's requirement is HS256 - that is one of a symmetric algorithm and that is a must. Is it possible to easily make it available? If it is not provided out-of-the-box, I need to know how we can custom build. Please let me know.



Keep up to date on this post and subscribe to comments

June 1, 2018 - 12:29pm

You may try writing a custom java code in pyInvokeRest connector and  implement the HS256 API’s from .

JWSObject jwsObject = new JWSObject(new JWSHeader(JWSAlgorithm.HS256),

                                    new Payload("Hello, world!"));


// We need a 256-bit key for HS256 which must be pre-shared

byte[] sharedKey = new byte[32];

new SecureRandom().nextBytes(sharedKey);


// Apply the HMAC to the JWS object

jwsObject.sign(new MACSigner(sharedKey));


// Output to URL-safe format





February 6, 2019 - 12:48pm

I also had the same problem as a external service required a HMac signed token. It's already time ago whe this quetion has been raised, but for the sec of somebody needs a complete solution.

This is a complete code which you can copy into a function rule and is should work immediately.

You need to include the following packages in your library which you will use for the fuction rule:





/* Code Block START*/

JWSObject signedJWT = null;

  // Create the JSON JWT Header
  JWSHeader header = new JWSHeader(JWSAlgorithm.HS256);
  // add expiration time (in milliseconds)
  long expL =  new Date().getTime();
  expL = expL+90000;

  // Create the JSON JWT Payload
  JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
    .subject("/your Subject")
    .expirationTime(new Date(expL))
    .issueTime(new Date())
    .claim("uid", "some claims you want") // append as much as you want before calling build(), like .claim("","").claim("","") as the return is always the builder object.

  signedJWT = new SignedJWT( header, claimsSet );

  // Sign with the HS256 key passed as the string parameter
  signedJWT.sign( new MACSigner(key.getBytes()) );
catch ( Exception e )
  oLog.infoForced("CustomUtils generate Token with HMac: " + e.getMessage() );
  return "";

return signedJWT.serialize();

/* Code Block END*/

February 11, 2019 - 11:05pm
Response to WilhelmM

Hi Wilhelm,

We have some issue with OpenId connect rule for SSO, the current implementation(import metadata) will support RS256, but we need to pass HS256.

Do you know which function(OOTB) i need to put the above code to make SSO works?