# Issue channel access tokens v2.1

This guide describes how to generate a JSON Web Token (JWT) from your Assertion Signing Key and how to issue a channel access token v2.1 using the JWT.

# Create an Assertion Signing Key

Create an Assertion Signing Key by accessing the Basic settings tab of your Messaging API channel in the LINE Developers Console. Next, select Issue next to Assertion Signing Key. You can create up to 2 key pairs per channel.

An Assertion Signing Key is created and you receive a private key. Store this private key somewhere safe.

Key storage

LINE only stores the public key. We don't store the private key. It must be stored by you. We only display the private key once when issued.

# Generate a JWT

You can use any JWT library (opens new window) or write your own code from scratch to generate a JWT from your Assertion Signing Key.

This is an example created using a JavaScript library introduced in JWT (opens new window). To use this code, you'll need to install these items:

The JWT is a string made up of a header, payload, and signature; all required fields.

Header

Property Description
alg Fixed property: "RS256"
typ Fixed property: "JWT"
kid Use the kid property from your private key

This is an example of a decoded header value.

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "536e453c-aa93-4449-8e90-add2608783c6"
}

Payload

Property Type Description
iss String Channel ID. Found on the LINE Developers Console. Must be equal to sub.
sub String Channel ID. Found on the LINE Developers Console. Must be equal to iss.
aud String https://api.line.me/
exp Number The expiry date of the JWT. Set this value in UNIX timestamp. The max lifetime of a JWT Assertion is 30 minutes.
token_exp Number Required when requesting a channel access token. This represents a valid expiration time for the channel access token in seconds. The max lifetime of a channel access token is 30 days.

This is an example of a decoded payload value.

{
  "iss": "1234567890",
  "sub": "1234567890",
  "aud": "https://api.line.me/",
  "exp": 1559702522,
  "token_exp": 86400
}

Signature

You can generate a JWT by signing the header and payload as shown above with your private key of your Assertion Signing Key.

This is an example of the code used to generate a JWT by signing a private key using node-jose. To create your own JWT with this code, change the privateKey to the value of the private key of your Assertion Signing Key and change the values of header and payload, respectively, and run it. See node-jose (opens new window) for more information on how to use node-jose. Be sure to sign with your private key to prove that the content has not been tampered with.

Example code using node-jose

let jose = require('node-jose');

let privateKey = `
{
    "p": "4h8yEw4q9VkzhXMgXZsIZVkEuZ49EmtWYk9zs0hPTa24ejjRMA6KTYh_va0GlaChO9t0MVQVuduznt-OFZyRAinr4svU4MKD2A3gTHJJCxs0xICva8rkHXqxfPwXngpb5L_xFURbXcSTzMcKckWuOpyPznAgY4XsZxw0t7ewj9E",
    "kty": "RSA",
    "q": "pVhBdRN5K3MEiZzU4__TsrtSBJDD_stu60m73iIvsHIrvK3Dmfl-J1zhsyOvi3NH9mVXpUimBwP8nTe-BlVM71G7_EotFHeKH1zTmBlx6AOngmrc40W2Hd__OZW0NfC_xOTvI_Ea2BNGoGtcrIGVFLTivJ4y9wAVOKA058zJ0ls",
    "d": "ObzE_-TROJazDm-ry-8TKRBMGzwcwTK6lMFSk7n-Xp6h7cDauSdRRYnZivC1lh5plVG3I9aUmPTRbVk7nrPqOlp4WWKQ27lyLd5IogbArpXgnBSkp9Zy0lWzvOsI3gHNnYuehyksHB53FIK93t838JfDQoXUUzalNoNwAGfkTNZxT4GIXGMGzNck2Z_urOATMf8-wdad-u4a5IB2KfHugwH2kw-Zig7fbdcN4_DeKWpuigdesa48Yj_hRJRws-mVFp-xHlGJehumnM_v8FLD85ap8L1hwvBqdJQeurcLXYzZbtdp9a5GpJI7gzOTMoEdxIKlEIIbaOKv4rkkztdhoQ",
    "e": "AQAB",
    "use": "sig",
    "kid": "536e453c-aa93-4449-8e90-add2608783c6",
    "qi": "XQ2puK9LT5yimyJXlXb4nHEBzPGe3sYbaZW_gMK4iHuM8cseImwLNP8ZIeGaNx5X_hZ6ZOzkjtYJjY85fvaWa2UDGdGlEw3ZO-Nk0Qu_exBrqZgZAsua75TjpJRw01Yd1TNBx5MYuvhltJLsjW-uSjcE-rZoO74FEe9pYYeQjI4",
    "dp": "Qq_wlK4Y_ULRbwoFAZY3Y6xdOGDyofwF_fhwpu8sdDxHq8QV7ZZcM4GOKuJcjsRQyNZv7hxeS_H_h1tnC_igy4KRjtGOdrrnJ1DwVZte72eWqF1LXv73R7pnnfS7AmELuOriruL6Dy1qaXpKGmlyeNazkq5-3tsgXUh0Q7po2AE",
    "alg": "RS256",
    "dq": "Wj1ovDT8lLIZb-Ggby9YotuJT-SSk6UDzHZZikquLGajaD6N2qNILsOKivKXBEzOobN9uj-EHaAXZtbdZyd27cZ2CqORJvJ299b5xLFecXpNGeio1YFee7-c1BjYWfgjMZqgycT1GairizINSjkO3FY8ySSuPBBXhKgrN7eVDrE",
    "n": "kgwP0NPaoAwhSh9iLlRaT7FSRbNsl6T5-j-bB3xAT1UbsxOJ9v06S3_54bpYlEAkjlrO-i1vmSzfSVnqFXnjWThWRvPmBDth3Ka7hQm9UXjiAvTzYxXGFjyhALqa_-DQCtdrqIhi8E4hAuSu--kGgnFKg3G-21KJuqnVzsXrClGkxbmVufx0MJjJxr1YGfkTMG8i0dovS9tnkioDAkt1knupiYk5ir_WiNy4T-70T5s3ktC5_4Uz10hS-rWeUxiihzG8G7ceg84-Kt5jKP_AgUnel-ksRyfgSJCYC9nHyz913a3ALj3Dzt7TBaxwAjlxESrdNz5RE9DNDZfPmNWRSw"
  }
`;

let header = {
    alg: "RS256",
    typ: "JWT",
    kid: "536e453c-aa93-4449-8e90-add2608783c6"
};

let payload = {
    iss: "1234567890",
    sub: "1234567890",
    aud: "https://api.line.me/",
    exp: Math.floor(new Date().getTime() / 1000) + 60 * 30,
    token_exp: 60 * 60 * 24 * 30
};

jose.JWS.createSign({format: 'compact', fields: header}, JSON.parse(privateKey))
    .update(JSON.stringify(payload))
    .final()
    .then(result => {
        console.log(result);
    });

Sign the base64url-encoded header, base64url-encoded claim set, and a secret key (such as an rsa_private.pem file) using the algorithm you defined in the header. The signature is then base64url-encoded, and the result is the JWT.

Example encoded JWT

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjJjNjU4NWYzLThkZGQtNDZjNC05YmUyLWI1NGE3MGFhOTRlYSJ9.eyJpc3MiOiIxNjUzOTQ3MTcyIiwic3ViIjoiMTY1Mzk0NzE3MiIsImF1ZCI6Imh0dHBzOi8vYXBpLmxpbmUubWUvIiwiZXhwIjoiMTU4NTIwMDA2MiIsInRva2VuX2V4cCI6IjI1OTIwMDAifQ.UVG6PAEub-OPbZ3nJuVxRRPjY6Sz_eIHJV9DTTAHCR79YsG4yWvoa9AeIctibb6IJQKgTEV7mF7LsUDmXldEDqYwyEmKs38zj_995Ntc9SYBFphHpr09NqfMoqMphwKqms2NOnqgcHreFs27d9Q0Qv8Rtv2t7SB2cVO__KrsjzYNs3miTvDdkqYLXFo5fXwuzNtHOCAJomd6bhMR8Yd1-vJmtMCBPK4hmA98w8fG_NhcyLbw-B9AuxQ6z92zXiRhNyPlK_3ce2T7HtgUluJ4xJl4xdLJ_C6hvTAqtQxmSiJKzbjUiANF6hVBTomU8vkaIjEKjnlT1uPMihfrsA3pzQ

# Issue channel access tokens v2.1

You can issue a channel access token v2.1 with the JWT assertion, generated by the procedure in Generate a JWT, specified.

To manage channel access tokens v2.1 using key IDs
  • The response when issuing a channel access token v2.1 includes a channel access token and a unique key ID (key_id) pair. To manage channel access tokens correctly, be sure to store the channel access token and key ID pair at the time of issuing.
  • The key ID is an identifier added to the Messaging API on June 22, 2020. If your app is using a channel access token v2.1 that doesn't have a key ID, we encourage you to re-issue a channel access token v2.1 and store the token and key ID pair. Change your app to always use the new token if the channel access token is re-issued.

Store the pair of issued access tokens and key ids

  1. To issue a channel access token, specify the generated JWT and execute the Issue channel access token v2.1 endpoint.
  2. Channel access token and key ID are returned from the LINE Platform.
  3. Store the channel access token and key ID pair in a database or other location.

# Revoke channel access token v2.1

You can revoke a channel access token v2.1 with a valid channel access token specified.

To identify valid channel access tokens

Even if specifying an invalid channel access token and executing the Revoke channel access token v2.1 endpoint, no error occurs. To get key IDs paired to the current valid channel access tokens, execute the Get all valid channel access token key IDs v2.1 endpoint. To identify the valid access token, match the obtained key ID to its respective channel access token.

Store the pair of issued access tokens and key ids

  1. Re-generate a JWT from the stored assertion signing key.
  2. Execute the Get all valid channel access token key IDs v2.1 endpoint with the JWT specified.
  3. The valid channel access token and key ID are returned from the LINE Platform.
  4. Explore the database that stores the channel access token and key ID pair.
  5. Search for the channel access token and key ID pair that match the obtained key ID.
  6. Get the valid channel access token.
  7. Specify the valid channell access token and execute the Revoke channel access token v2.1 endpoint.
  8. The channel access token is revoked from the LINE Platform.