---
title: Configuring a JWT Token Processor 2.0 instance
description: Validate JSON Web Tokens using the Security Token Service
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_configuring_jwt_token_processor_20_instance
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_jwt_token_processor_20_instance.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: September 5, 2025
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  choose-from: Choose from:
  next-steps: Next steps
---

# Configuring a JWT Token Processor 2.0 instance

The PingFederate Security Token Service (STS) *(tooltip: \<div class="paragraph">
\<p>An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services.\</p>
\</div>)* provides validation for any JSON Web Token (JWT) *(tooltip: \<div class="paragraph">
\<p>An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \<a href="https\://datatracker.ietf.org/doc/html/rfc7519">RFC 7519\</a>.\</p>
\</div>)*.

## Before you begin

Use the **Type** tab on the **Create Token Processor Instance** page to begin configuring a JWT Token Processor 2.0 instance. Learn more in [Selecting a token processor type](help_tokenprocessorinstancetasklet_selectadaptertypestate.html).

## About this task

The following procedure describes how to use the **Instance Configuration** tab on the **Create Token Processor Instance** window to continue configuring a JWT token processor 2.0 instance.

This feature supports the [OAuth 2.0 Token Exchange](https://datatracker.ietf.org/doc/html/rfc8693) and [WS Trust](https://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html) specifications. JWT token processor 2.0 offers more functions than does [JWT token processor 1.2](pf_config_json_web_token_process_instance.html).

> **Collapse: Screenshot of the Instance Configuration tab for a JWT token processor 2.0**
>
> ![Screenshot of the Instance Configuration tab for JWT token processor 2.0](_images/vit1685549220553.png)

## Steps

1. On the **Create Token Processor Instance** page, go to the **Instance Configuration** tab.

2. In the **Issuer** field, enter the name of an allowed issuer.

3. Choose one of the following:

   ### Choose from:

   * In the **JWKS URL** field, enter a JWKS URL.

   * In the **JWKS** field, paste a JWKS JSON object. The object should have the following format:

     ```json
         {
           "keys": [
              {
                 "kty": "RSA",
                 "kid": "1",
                 "use": "sig",
                 "n": "t7jW8PvJRA7qo4N4dY7JZt1vNtLX9SdRyV1ytW8Fv2jKgGJfRdKjSNWZIvA2fO3efrjzb35LTUpatb0x6OcTjID0J6YwO6UZQL0xfDeX9jK78B2JGpxShsC-VzHf2ggn_rBBFBRHvLcZlGSlpjOyh7X9dNIx-rKjyZH8OYdY7db4nxHzvZt7S9jkG5Qh7Kol8F1JwYjGIVf03QmUR-yWZnGGFJbP9oEJMW_kRWVCn_-Ic6wgK1NIDJFjjUZP6oZgQzAjbAULNV1sHsMYyrDTyOAc_26fTJp6MLDeUZ_iO8jKkrrgXsDxUnsztOeHOrGnvMw",
                 "e": "AQAB"
               }
           ]
         }
     ```

     PingFederate uses the JWKS or JWKS URL to get the validation keys for the issuer.

4. Specify one or more **Allowed Audiences**.

   |   |                                                                               |
   | - | ----------------------------------------------------------------------------- |
   |   | This setting is optional unless you select the **Require Audience** checkbox. |

5. Specify which of the following token claims are required:

   * Audience (`aud`)

   * Expiration time (`exp`)

   * Issued at time (`iat`)

   * Not before time (`nbf`)

     By default, the `aud` and `exp` claims are required, and the `iat` and `nbf` claims are not required.

6. **(Optional)** Click **Show Advanced Fields** and change the default value for any of the following settings:

   * **Default Cache Configuration**, which sets the number of minutes to cache the JWKS

     |   |                                                                                                                                                                                                                                         |
     | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
     |   | This feature affects JWKS caching only when you specify a **JWKS URL** for an **Allowed Issuer** and the JWKS URL response doesn't indicate a cache time. This feature doesn't apply when you specify a **JWKS** for an allowed issuer. |

   * **Allowed Clock Skew** for `exp` and `nbf` claims

   * **Max Future Validity**, which limits the lifetime of the token

7. Click **Save**.

## Next steps

After selecting the token processor type, go to the **Extended Contract** tab to continue configuring the token processor instance. Learn more in [Extending a token processor contract](help_tokenprocessorinstancetasklet_createadaptercontractstate.html).