Associating Required JSON Web Token Claims with REST Classes

The Add JSON Web Token Claims dialog enables you to specify the claims that must be present in a JSON Web Token (JWT) in order to access a Jade REST API method. As long as one or more required claims are associated with a method, any incoming REST request must include a JSON Web Token in the authorization header of the HTTP request; that is, it must include a header of the form Authorization: Bearer <Token>.

You can configure JSON Web Token (JWT) authentication at the class level, applying the specified JWT claims to all REST methods defined on that class and its subclasses (excluding imported classes). Both class‑level and method‑level JWT authentication is inherited by subclasses, and can be reimplemented at the subclass level.

When a REST API method (a method of a subclass of the JadeRestService class, associated with an application of type Rest Services or Rest Services, Non‑Gui) has required claims associated with it, a new method is generated and added to the class of that method. This method is named the same as the REST API method except that it is prefixed with s__ and is hereafter known as a shadow method. The shadow method is used by the REST service to get the JadeRequiredClaimAnnotations associated with the REST API method. When you define a class-level claim, a shadow method with the name s__ClassJWTValidation is created.

To configure class-level JWT authentication, open the Class Browser and right-click any user-defined class (excluding imported classes) that subclasses the JadeRestService class and then select the REST Security Options command in the popup menu. You can then define the JWT claims that will be required for every REST method on that class, except for methods that have JWT claims defined at the method level. For details, see "Associating Required JSON Web Token Claims with REST API Methods", elsewhere in this document.

Method‑level JWT authentication always takes precedence over class‑level authentication, even when no JWT claims are defined at method level.

Define the required JWT claims that apply to all REST methods in the class (and its subclasses), unless a method has its own method‑specific required JWT claims defined.

This approach allows you to establish a default security policy at the class level, ensuring that all REST methods within the class (and its subclasses) require a set of JWT claims by default. At the same time, it provides the flexibility to selectively relax, strengthen, or remove required claims for individual methods by defining method‑specific claims.

JWT claim authentication is defined at class level, by clicking on the class in the Class Browser and then selecting the REST Security Options command from the Classes menu or right‑clicking on the class and then selecting the REST Security Options command from the popup menu. You can then define the JWT claims that will be required for every REST method on that class, except for methods that have JWT claims defined at the method level.

Method-specific required claims always override the class-level default values for that method.

To remove all required claims for a specific method when a set of required claims exists at the class level, open the Add JWT Claims dialog for that method, do not add any claims, and then click the OK button.

The Add JSON Web Token Claims dialog, which is then displayed, allows you to:

Define a common set of JWT claims at class level that apply to all REST methods on the selected class and its subclasses, unless a method has its own method-specific JWT claims defined, the required JWT claims have been overridden at the subclass level, or the method has been explicitly excluded from JWT authentication.
Explicitly exclude individual methods from JWT authentication at class level by selecting the Methods menu REST Security Options command for a specific method selected in the Methods List of the Class Browser and then removing any JWT claim in the Added Claims text box (if they are present), and clicking the OK button.
Specify different JWT claims for specific methods, which override class‑level authentication, by defining method‑specific claims.

When a method of any subclass of the JadeRestService class is selected, select the REST Security Options command in the development environment Methods menu to open the Add JSON Web Token Claims dialog. For details, see "Adding a JSON Web Token Claim", elsewhere in this document.

From Jade 2025 R2, visual indicators in the Methods List of the Class Browser help you to identify REST methods and REST methods that are protected by JWT claims.

Methods defined on a subclass of JadeRestService (excluding imported classes) that meet the criteria for a valid REST method are now displayed with a dedicated REST icon (a blue cloud) that enables you to quickly and easily identify methods that are valid REST methods.
A variation of this icon (a blue cloud with a padlock) is used to identify valid REST methods that are protected by one or more JWT claims.

These icons, which replace the standard method access icons (for example, public or private) when displayed, are intended as a visual aid during development only. They must not be relied upon as the sole means of determining whether a method is a REST endpoint, or whether it is protected by JWT claims.

In a source-stripped system, the icons never display the protected variant, even if the method is protected.

The icons are displayed only in the hierarchy browser; not in other browsers (for example, sub‑browsers or the Senders Browser).

As the shadow method is generated, it should not be modified. If you want to modify the claim associated with the REST API method, use the Add JSON Web Token Claims dialog to modify an existing set of required claims.

2025 R2 and higher