How to generate JWT tokens for public APIs

The public APIs can be helpful in accomplishing some bot related operations from outside the bot-builder, and toward achieving CI (continuous integration)/CD (continuous development) goals. For Kore platform, the public APIs are listed here.

Please note that all the public API authenticate the requester using JWT. So as a developer or an administrator you are expected and requested to keep the JWT token safe under access control and keep changing it often as needed.

To use the APIs you will first need a scope. An API is either specific to bot scope or admin scope. In the specific API related documentation, you should be able to see which scope does it cater to.

Ex: cater to the admin console scope.

Please follow this documentation to know how to create an app and map it to a scope under a bot as well as in bot admin console.

Please note:

  1. You can also generate a JWT token from if you have any difficulty using Kore’s own JWT tool.
  2. As of now, for apps which you will map to API scope, only HS256 is allowed.

One example is being provided here:

Let us see how to work with the Get Change Logs API. The first thing that you may notice in the sample request is the auth: {{JWT}}. We will see how to create it.

Step 1: Navigate to the BAC (Bot Admin Console) > Security and Control > API Scope. Then either edit or create an app as described in the documentation.

Step 2: Ensure the app is mapped to the right scope as indicated in the API’s above documentation.

Step 3: Create the JWT token. Copy it.

Step 4: Build the request and trigger from postman (Assuming the query is run for and for a given bot)

Common Mistakes developers make

  • Using incorrect method for the request - POST, GET, PUT etc. Please refer to the API specific documentation.
  • Forgetting to save the App/API scope.
  • Incorrect mapping in the scope.
  • Creating the scope in a different account (Kore supports self-signed account) and trying to run against a bot of a different account (Maybe on an account you were invited to).
  • Forgetting to sign the JWT with the secret
  • Any typo in JWT creation
  • Incorrect JWT algorithm