How to Create JSON Web Token (JWT) with Google Apps Script

You can utilize Google Script to make JSON Web Tokens (JWT) that can be given to make sure about courses so that lone verified solicitations that contain a legitimate token can associate with the APIs (e.g., the Zoom API).

All JSON Web Tokens have three sections:

The header that indicates the hash calculation that is utilized for marking and unscrambling the JWT.

The payload in JSON design that contains all the client information. The iat and exp properties speak to the issue date and the termination time individually however you can pass any information to the payload.

The mark information that permits APIs to build up the realness of the entrance token.

const createJwt = ({ privateKey, expiresInHours, data = {} }) => {
  // Sign token using HMAC with SHA-256 algorithm
  const header = {
    alg: 'HS256',
    typ: 'JWT',

  const now =;
  const expires = new Date(now);
  expires.setHours(expires.getHours() + expiresInHours);

  // iat = issued time, exp = expiration time
  const payload = {
    exp: Math.round(expires.getTime() / 1000),
    iat: Math.round(now / 1000),

  // add user payload
  Object.keys(data).forEach(function (key) {
    payload[key] = data[key];

  const base64Encode = (text, json = true) => {
    const data = json ? JSON.stringify(text) : text;
    return Utilities.base64EncodeWebSafe(data).replace(/=+$/, '');

  const toSign = `${base64Encode(header)}.${base64Encode(payload)}`;
  const signatureBytes = Utilities.computeHmacSha256Signature(
  const signature = base64Encode(signatureBytes, false);
  return `${toSign}.${signature}`;

The parts are gotten together with a dab (period) and information is encoded in Base64 utilizing the Utilities.base64EncodeWebSafe technique for Apps Script.

Generate Token with your Private Key & Payload

const generateAccessToken = () => {
  // Your super secret private key
  const privateKey =
  const accessToken = createJwt({
    expiresInHours: 6, // expires in 6 hours
    data: {
      iss: Session.getActiveUser().getEmail(),
      userId: 123,
      name: 'Amit Agarwal',

You can glue the produced admittance token in and you’ll have the option to see the substance (payload) of the decoded token. It would be ideal if you note that if the token has invalid mark information, the payload may even now be decoded as it is encoded in Base64.

Decoding JWT Payload with Google Apps Script

const parseJwt = (jsonWebToken, privateKey) => {
  const [header, payload, signature] = jsonWebToken.split('.');
  const signatureBytes = Utilities.computeHmacSha256Signature(
  const validSignature = Utilities.base64EncodeWebSafe(signatureBytes);
  if (signature === validSignature.replace(/=+$/, '')) {
    const blob = Utilities.newBlob(
    const { exp, } = JSON.parse(blob);
    if (new Date(exp * 1000) < new Date()) {
      throw new Error('The token has expired');
  } else {
    Logger.log('🔴', 'Invalid Signature');

Leave a Reply

Your email address will not be published. Required fields are marked *