> For the complete documentation index, see [llms.txt](https://firstoken.gitbook.io/api-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://firstoken.gitbook.io/api-docs/guides/implementing-hosted-iframes/generating-a-json-web-token.md). # Generating a JSON Web Token A JWT brings more security and flexibility to the captures process. A valid JWT must be passed within the “-t” query param in the URL source for the correct functionality of the iframe element. In this section, you will learn how to generate a valid JWT on your server-side and pass it into the iframe source. The code below shows a Node.js example code to illustrate the generation of the JWT. You must replace the SECRET field with a valid SECRET code provided by Firstoken in the onboarding and account setup process team. If you do not have a SECRET code yet, please contact your representative agent to complete the setup process. ```javascript var nJwt = require('njwt'); var signingKey = SECRET; var claims = { sub: "3a59a5d4-7069-4bbd-b1ab-faece289cfb7", form_id: "3d824b19-fbeb-4ecd-addb-fbc57e5c0545", origin: "http://example.com/" } var jwt = nJwt.create(claims, signingKey); var token = jwt.compact(); console.log(token) ``` According to the above example code, you must send within the payload object of the JWT three required values. You can build in FirsToken Captures multiples forms and every form into an iframe object have an identifier. Have multiples forms is useful when you have different payment flows; for example, you can have a form with a CVV field and another form without CVV field and dynamically embed different iframes in every payment case. The table below depict every required value that you must insert into the payload object. > **sub**: *Required* > > The identifier of your account. This value is unique for every client account in Firstoken. If you do not have an account identifier yet, please request to your representative agent to provide one. > > **form\_id**: *Required* > > The identifier of the form invoking. This value is unique for every form in your account. You can have multiples form for different payments flow. A form is build using our owned form JSON Schema explained in the next section. > > **origin**: *Required* > > The origin is the URL of the window that received the final message sent from Firstoken Captures. Firstoken used the postMessage interface to send messages to form Firstoken Captures iframe to the windows that invoke it, and you can read this message on your client-side using a JavaScript listener. This interaction is explained in detail in the "Post message" section. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://firstoken.gitbook.io/api-docs/guides/implementing-hosted-iframes/generating-a-json-web-token.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.