---
title: Configuring a JWT Token Processor 1.2 instance
description: The PingFederate security token services (STS) provides validation for JSON web tokens (JWTs).
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_config_json_web_token_process_instance
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_json_web_token_process_instance.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: May 9, 2025
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring a JWT Token Processor 1.2 instance

The PingFederate security token services (STS) provides validation for JSON web tokens (JWTs).

## About this task

When configuring a JWT Token Processor instance to validate incoming JWTs, the system relies on a JSON Web Key Set (JWKS) to verify the token's signature. For the validation to succeed, specific attributes in the JWK must match corresponding information in the JWT header.

You can find more information about each attribute in the following table:

**Required JWK Attributes for JWT Validation**

| Attribute | Description                                                                                                                                                                                 |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `kid`     | The `kid` (key ID) parameter matches a specific key.                                                                                                                                        |
| `use`     | The `use` (public key use) parameter identifies the intended use of the public key. `use` indicates a public key is used for verifying the data signature.	The parameter value must be sig. |
| `alg`     | The `alg` (algorithm) parameter must match the `kty` (key type parameter), which is the cryptographic algorithm family used with the key.                                                   |

Learn more in the [JSON Web Key (JWK)](https://www.ietf.org/rfc/rfc7517.txt) specification.

## Steps

To configure the JWT Token Processor Instance:

1. Go to **Authentication > Token Exchange > Token Processors**.

2. On the **Instance Configuration** tab, enter the required information.

   See the following table for information about each field.

   **JWT Token Processor instance field names and descriptions**

   | Field                 | Description                                                                                                                           |
   | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
   | **JWKS Endpoint URI** | The URI of the JWKS endpoint. A set of JSON Web Keys (JWK) are downloaded from this endpoint and used for JWT signature verification. |
   | **Issuer**            | A unique identifier for the issuer of the JWT.                                                                                        |
   | **Expiry Tolerance**  | The amount of time, in seconds, to allow for clock skew between servers. Valid range is 0 to 3600.                                    |