--- title: JWT Password Replay node description: The JWT Password Replay node stores the user's password in an encrypted JSON Web Token (JWT). The node retrieves a secret from the secret store using a configured secret label identifier to encrypt the JWT. The encrypted JWT is then stored as a session property. component: auth-node-ref version: latest page_id: auth-node-ref::jwt-password-replay canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/jwt-password-replay.html superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/jwt-password-replay.html section_ids: example: Example availability: Availability inputs: Inputs dependencies: Dependencies configuration: Configuration outputs: Outputs outcomes: Outcomes errors: Errors --- # JWT Password Replay node The JWT Password Replay node stores the user's password in an encrypted JSON Web Token (JWT). The node retrieves a secret from the secret store using a configured secret label identifier to encrypt the JWT. The encrypted JWT is then stored as a session property. You can then configure PingGateway to extract this session property using the token returned by a successful authentication journey. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------- | | | This node is intended for use with legacy applications that require a password for authentication where delegation isn't an option. | ## Example Use the JWT Password Replay node with PingGateway to capture and replay username-password credentials. Place the node *after* successful user validation so that the computational expense of generating a JWT only occurs for authenticated users. For example: ![jwt password replay example](_images/jwt-password-replay-example.png) ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | Yes | ## Inputs The node reads the `password` field from shared state. ## Dependencies A secret in the secret store to encrypt the JWT. ## Configuration | Property | Usage | | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Encryption Key Secret Label Identifier | Advanced Identity Cloud uses this identifier to create a specific secret label for this node. The secret label takes the form `am.authentication.nodes.jwt.replay.identifier.encryption` , where `identifier` is the value of Encryption Key Secret Label Identifier.The identifier can only contain alphanumeric characters (`a-z`, `A-Z`, `0-9`) and periods (`.`). It can't start or end with a period. | | JWT Session Property Name | The session property that stores the JWT at the end of the journey.The default is `sunIdentityUserPassword`, which is recognized by PingGateway.For security reasons, don't allowlist this session property. | ## Outputs The node stores the JWT as the session property defined in the node configuration. ## Outcomes * Success The node created and stored the JWT successfully. * Error The password was missing from state or the encryption secret couldn't be retrieved. ## Errors If the node encounters an error, it logs one of the following messages: * **Missing password**: `No password found in state to create JWT for password replay` * **Missing secret**: `No active encryption key secret found for purpose secret label`