You're viewing Apigee and Apigee hybrid documentation.
    View 
    Apigee Edge documentation.
  
InvalidNameForAdditionalClaim
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Invalid name for additional claim : policy(policy_name) claim(claim_name).
Example error message
Error Saving Revision 2
Invalid name for additional claim : policy(JWT-Generate-HS256) claim(iss).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the name of the claim used in the child element <Claim> of the <AdditionalClaims> element is one of the following registered names:
"kid", "iss", "sub", "aud", "iat", "exp", "nbf", "jti"
The registered claims are specified in RFC 7519.
For example, using the claim name iss under the <AdditionalClaims> element will lead to this error.
Diagnosis
- Identify the name of the Generate JWT policy and the claim name from the error message. For example, in the following error message, the name of Generate JWT policy is - JWT-Generate-HS256and claim name is- iss:- Invalid name for additional claim : policy(JWT-Generate-HS256) claim(iss).
- Verify that the claim name used under the - <AdditionalClaims>element in the failed Generate JWT policy XML matches the claim name identified in the error message (Step 1 above). For example, the following policy specifies the claim as- iss, which matches what's in the error message:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <SecretKey> <Value ref="private.secretkey"/> <Id>1918290</Id> </SecretKey> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name="iss"/> </AdditionalClaims> </GenerateJWT>
- If the claim name used in the child element - <Claim>of the- <AdditionalClaims>element is one of the following registered names:- "kid", "iss", "sub", "aud", "iat", "exp", "nbf", "jti" - then that's the cause of the error. - In the example Generate JWT policy shown above, the - <Claim>name is specified as- issunder the- <AdditionalClaims>element, resulting in the error:- Invalid name for additional claim : policy(JWT-Generate-HS256) claim(iss).
Resolution
Do not use any of the registered names "kid", "iss", "sub", "aud", "iat", "exp", "nbf" or "jti" in the child element <Claim>of the<AdditionalClaims> element.
To correct the example Generate JWT policy shown above, change the claim name to status:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalClaims>
        <Claim name='status' type='string'>Development</Claim>
    </AdditionalClaims>
</GenerateJWT>
InvalidTypeForAdditionalClaim
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Invalid type for additional claim : policy(policy_name) claim(claim_name) type(type_name).
Example error message
Error Saving Revision 2
Invalid type for additional claim : policy(JWT-Generate-HS256) claim(claim) type(integer).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the type of claim used in the child element <Claim> of the <AdditionalClaims> element of the GenerateJWT policy is not one of the following types:
string (default), number, boolean, or map
For example,  using the claim type integer under the <AdditionalClaims> element will result in the error.
Diagnosis
- Identify the name of the Generate JWT policy, the claim name, and the claim type from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256, the claim name is- claimand the claim type is- integer:- Invalid type for additional claim : policy(JWT-Generate-HS256) claim(claim) type(integer).
- Verify that the claim name and the type used under the - <AdditionalClaims>element in the failed Generate JWT policy XML matches the claim name and type identified in the error message in Step 1. For example, the following policy specifies the claim as- claimand the type as- integer, which matches what's in the error message:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <SecretKey> <Value ref="private.secretkey"/> <Id>1918290</Id> </SecretKey> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='integer'/> </AdditionalClaims> </GenerateJWT>
- If the claim type used in the child element - <Claim>of the- <AdditionalClaims>element is not one of the following types:- string(default),- number,- boolean, or- map- then that's the cause of the error. - In the example Generate JWT policy shown above, the - <Claim>type under the- <AdditionalClaims>element is specified as- integer. Because- integeris not a supported type, you get the error:- Invalid type for additional claim : policy(JWT-Generate-HS256) claim(claim) type(integer).
Resolution
Ensure that only supported data types such as string, number, boolean, or map are used in the child element <Claim> of the <AdditionalClaims> element.
To correct  the example Generate JWT policy shown above, change the claim type to boolean.
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalClaims>
        <Claim name='claim' ref='reqclaim' type='boolean'/>
    </AdditionalClaims>
</GenerateJWT>
MissingNameForAdditionalClaim
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Error occurred while validation of bean(policy_name.xml) Reason: - Required attribute name is missing in Claim.
Example error message
Error Saving Revision 2
Error occurred while validation of bean JWT-Generate-HS256.xml. Reason: - Required attribute name is missing in Claim
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the name of the claim is not specified in the child element <Claim> of the <AdditionalClaims> or <AdditionalHeaders> element.
Diagnosis
- Identify the name of the Generate JWT policy from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256:- Error occurred while validation of bean JWT-Generate-HS256.xml. Reason: - Required attribute name is missing in Claim
- Examine the failed Generate JWT policy XML and verify if the claim name is missing in the child element - <Claims>under the- <AdditionalClaims>or- <AdditionalHeaders>element. For example, the following Generate JWT policy does not specify the claim name under the- <AdditionalClaims>element:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <SecretKey> <Value ref="private.secretkey"/> <Id>1918290</Id> </SecretKey> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim ref='reqclaim' type='boolean'/> </AdditionalClaims> </GenerateJWT>- Because the - <Claim>name is not specified under the- <AdditionalClaims>element you get the error:- Error occurred while validation of bean JWT-Generate-HS256.xml. Reason: - Required attribute name is missing in Claim
Resolution
Ensure that the name of the claim is always specified in the child element <Claim> of the <AdditionalClaims> or <AdditionalHeaders> element.
To correct the example Generate JWT policy shown above, specify the claim name as shown below:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalClaims>
        <Claim name='claim' ref='reqclaim' type='boolean'/>
    </AdditionalClaims>
</GenerateJWT>
InvalidNameForAdditionalHeader
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Invalid name for additional header : policy(policy_name)header(header_name).
Example error message
Error Saving Revision 2
Invalid name for additional header: policy(JWT-Generate-HS256) header(alg).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the name of the claim used in the child element <Claim> of the <AdditionalHeaders> element is one of the following standard JWT headers:
alg or typ
For example, using the claim name alg under the <AdditionalHeaders> element will cause the error.
Diagnosis
- Identify the name of the Generate JWT policy and header name from the error message. For example, in the following error message, the name of Generate JWT policy is - JWT-Generate-HS256and header name is- alg:- Invalid name for additional header: policy(JWT-Generate-HS256) header(alg).
- Verify that the header name used in the child element - <Claim>under the- <AdditionalHeaders>element in the failed Generate JWT policy XML matches the header name identified in the error message in Step 1. For example, the following policy specifies the header as- alg, which matches what's in the error message:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <SecretKey> <Value ref="private.secretkey"/> <Id>1918290</Id> </SecretKey> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalHeaders> <Claim name="alg"/> </AdditionalHeaders> </GenerateJWT>
- If the header name used in the child element - <Claim>of the- <AdditionalClaims>element is one of the following standard JWT headers:- algor- typ- then that's the cause of the error. - In the example Generate JWT policy shown above, the - <Claim>name is specified as- algunder the- <AdditionalClaims>element, resulting in the error:- Invalid name for additional header: policy(JWT-Generate-HS256) header(alg).
Resolution
Do not use the standard JWT headers alg or typ in the child element <Claim> of the <AdditionalHeaders> element.
To correct the example Generate JWT policy shown above, use the name x5c in the child element <Claim> of the <AdditionalHeaders> element:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='x5c'/>
    </AdditionalHeaders>
</GenerateJWT>
InvalidTypeForAdditionalHeader
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Invalid type for additional header : policy(policy_name) claim(claim_name) type(type_name).
Example error message
Error Saving Revision 2
Invalid type for additional header : policy(JWT-Generate-HS256) claim(claim1) type(integer).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
The error will occur if the type of claim used in the child element <Claim> of the <AdditionalHeaders> element of the GenerateJWT policy is not one of the following types:
string (default), number, boolean, or map.
For example, using the claim type integer under the <AdditionalHeaders> element will cause the error.
Diagnosis
- Identify the name of the Generate JWT policy, the claim name, and the claim type from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256, the claim name is- claim,and the claim type is- integer:- Invalid type for additional header : policy(JWT-Generate-HS256) claim(claim) type(integer).
- Verify that the claim name and the claim type used under the - <AdditionalClaims>element in the failed Generate JWT policy XML matches the claim name and claim type identified in the error message in Step 1. For example, the following policy specifies the claim as- claimand the claim type as- integer, which matches what's in the error message:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <SecretKey> <Value ref="private.secretkey"/> <Id>1918290</Id> </SecretKey> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalHeaders> <Claim name='claim' ref='reqclaim' type='integer'/> </AdditionalHeaders> </GenerateJWT>
- If the claim type used in the child element - <Claim>of the- <AdditionalHeaders>element is not one of the following types:- string(default),- number,- boolean, or- map- then that's the cause of the error. - In the example Generate JWT policy shown above, the - <Claim>type under the- <AdditionalHeaders>element is specified as- integer. Because- integeris not a supported type, you get the error:- Invalid type for additional header : policy(JWT-Generate-HS256) claim(claim) type(integer).
Resolution
Ensure that only the supported data types string, number, boolean, or map are used in the child element <Claim> of the <AdditionalHeaders> element.
To correct the example Generate JWT policy shown above, change the claim type to boolean:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='boolean'/>
    </AdditionalHeaders>
</GenerateJWT>
InvalidValueOfArrayAttribute
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Invalid value for array attribute: policy(policy_name)claim(claim_name).
Example error message
Error Saving Revision 2
Invalid value for array attribute: policy(JWT-Generate-HS256) claim(claim).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the value of the array attribute in the in the child element <Claim> of the <AdditionalClaims> or <AdditionalHeaders> element is not set to true or false.
For example, setting the value of the array attribute as yes in the child element <Claim> of the <AdditionalClaims> or <AdditionalHeaders> causes the error.
Diagnosis
- Identify the name of the Generate JWT policy and the claim name from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256and the claim name is- claim:- Invalid value for array attribute: policy(JWT-Generate-HS256) claim(claim).
- Verify that the claim name used in the child element - <Claim>under the- <AdditionalHeaders>element in the failed Generate JWT policy XML matches the claim name identified in the error message in Step 1. For example, the following policy specifies the claim name as- claim, which matches what's in the error message:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <SecretKey> <Value ref="private.secretkey"/> <Id>1918290</Id> </SecretKey> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='string' array='yes'/> </AdditionalClaims> </GenerateJWT>
- If the value of the - arrayattribute in the child element- <Claim>of the- <AdditionalClaims>element is not set to- trueor- false, then that's the cause of the error.- Because the - arrayattribute in the child element- <Claim>of the- <AdditionalClaims>element is set to- yesin the example above, you get the error:- Invalid value for array attribute: policy(JWT-Generate-HS256) claim(claim).
Resolution
Ensure that the value of the array attribute in the in the child element <Claim>of the <AdditionalClaims> or <AdditionalHeaders> is set to true or false.
To correct the example Generate JWT policy shown above, change the value of array attribute to true:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='string' array='true'/>
    </AdditionalHeaders>
</GenerateJWT>
InvalidConfigurationForActionAndAlgorithm
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2
Invalid configuration element for this action and algorithm Family: policy(<var>policy_name</var>) element(<var>element_name</var>) action(<var>action_name</var>) family(<var>family_name</var>).
Example error message
Error Saving Revision 2 Invalid configuration element for this action and algorithm Family: policy(JWT-Generate-HS256) element(PrivateKey) action(Generate) family(HMAC).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the <PrivateKey> element is used with HS Family algorithms and the <SecretKey> element is used with RSA Family algorithms.  The error will also occur if either of these conditions are true.
For example, using the <PrivateKey> element with HS Family algorithms leads to this error.
Diagnosis
- Identify the name of the Generate JWT policy, the element name, and the algorithm family name from the error message. For example, in the following error message the name of the Generate JWT policy is - JWT-Generate-HS256, the element name is- PrivateKeyand the algorithm family is- HMAC:- Invalid configuration element for this action and algorithm Family: policy(JWT-Generate-HS256) element(PrivateKey) action(Generate) family(HMAC).
- Verify that the element and the algorithm family used in the failed Generate JWT policy XML matches the element and the algorithm family identified in the error message in Step 1. For example, the following policy specifies the element as - PrivateKeyand the algorithm family as- HMAC, which matches what's in the error message:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <PrivateKey> <Password ref="private.privatekey-password"/> </PrivateKey> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='string' array=tuu =/> </AdditionalClaims> </GenerateJWT>
- If the value of the - <Algorithm>element is- HS256, but you have used- <PrivateKey>, then that's the cause of the error.- In the example Generate JWT policy shown above, the - <PrivateKey>is used even though the- <PrivateKey>is set to a family algorithm,- HS256, resulting in the error:- Invalid configuration element for this action and algorithm Family: policy(JWT-Generate-HS256) element(PrivateKey) action(Generate) family(HMAC).
Resolution
Ensure the <PrivateKey> element is used only with RSA Family algorithms and the <SecretKey> element is used only with HS Family algorithms.
To correct the example Generate JWT policy shown above, use the <SecretKey> from the GenerateJWT policy that uses the HS256 algorithm:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='string' array='true'/>
    </AdditionalHeaders>
</GenerateJWT>
InvalidValueForElement
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Invalid Value for element : policy(policy_name) element(element_name).
Example error message
Error Saving Revision 2
Invalid Value for element : policy(JWT-Generate-HS256) element(Algorithm).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the value specified in the <Algorithm> element is not one of the following values:
HS256, HS384, HS512, RS256, RS384, RS512
For example, specifying the algorithm value as RS128 in the <Algorithm> element leads to this error.
Diagnosis
- Identify the name of the Generate JWT policy and the element name from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256and the element name is- Algorithm.- Invalid Value for element : policy(JWT-Generate-HS256) element(Algorithm).
- Examine the failed Generate JWT policy XML and check the value specified for the - <Algorithm>element.- Here's a sample Generate JWT policy: - <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS128</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <SecretKey> <Value ref="private.secretkey"/> <Id>1918290</Id> </SecretKey> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='status' type='string'>Development</Claim> </AdditionalClaims> </GenerateJWT>
- Examine the value specified in the - <Algorithm>element. If it is not one of the following values:- HS256,- HS384,- HS512,- RS256,- RS384,- RS512- then that's the cause of the error. - In the example Generate JWT policy shown above, the - <Algorithm>name is specified as- HS128. Because this is not a supported algorithm, you get the error:- Invalid Value for element : policy(JWT-Generate-HS256) element(Algorithm).
Resolution
Ensure that the value specified in the <Algorithm> element is one of the supported values:
HS256, HS384, HS512, RS256, RS384, RS512
To correct the example Generate JWT policy shown above, which uses the <SecretKey> element, change the value of the <Algorithm> to HS25.  Note, when the <SecretKey> element is used, you can only use HS Family algorithms.
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalClaims>
        <Claim name='status' type='string'>Development</Claim>
    </AdditionalClaims>
</GenerateJWT>
MissingConfigurationElement
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Missing configuration element : policy(policy_name) element(element_name).
Example error message
Error Saving Revision 2
Missing configuration element : policy(JWT-Generate-HS256) element(SecretKey).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs when the <PrivateKey> element is not used with RSA Family algorithms in the Generate JWT policy.  Likewise, the error can occur if the <SecretKey> element is not used with HS Family algorithms in the Generate JWT policy.
For example, not using the <PrivateKey> element with RSA Family algorithms leads to this error.
Diagnosis
- Identify the name of the Generate JWT policy and missing element name from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256and the missing element name is- SecretKey.- Missing configuration element : policy(JWT-Generate-HS256) element(SecretKey).
- Examine the failed Generate JWT policy XML and verify that the element indicated in the error message is missing. If it is missing, then that's the cause of the error. - For example, in the following policy the - SecretKeyis missing and the- Algorithmused is- HS256:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <ExpiresIn>1h</ExpiresIn> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='string' array='true'/> </AdditionalClaims> </GenerateJWT>- The example Generate JWT policy uses HS Family algorithms, but the mandatory element - SecretKeyis missing, resulting in the error:- Missing configuration element : policy(JWT-Generate-HS256) element(SecretKey).
Resolution
Ensure that the mandatory <PrivateKey> element is used with RSA Family algorithms and the mandatory <SecretKey> element is used with HS Family algorithms.
To correct the example Generate JWT policy shown above, which uses the HS256 algorithm, add the <SecretKey> element to the Generate JWT policy:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='string' array='true'/>
    </AdditionalHeaders>
</GenerateJWT>
InvalidKeyConfiguration
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving RevisionInvalid Key configuration : policy(policy_name). 
Example error message
Error Saving Revision 3
Invalid Key configuration : policy(JWT-Generate-HS256).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the mandatory child element <Value> is not defined in the <PrivateKey> or <SecretKey> elements in the Generate JWT policy.
Diagnosis
- Identify the name of the Generate JWT policy from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256.- Invalid Key configuration : policy(JWT-Generate-HS256).
- Examine the failed Generate JWT policy XML and verify if the child element - <Value>is not defined in the- <PrivateKey>or- <SecretKey>elements. If- <Value>is not defined, then that's the cause of the error.- For example, in the following policy the child element - <Value>is not defined in the- <SecretKey>element:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <ExpiresIn>1h</ExpiresIn> <SecretKey> </SecretKey> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='string' array='true'/> </AdditionalClaims> </GenerateJWT>- Because the child element - <Value>is not defined in the- <SecretKey>element of the Generate JWT policy, you get the error:- Invalid Key configuration : policy(JWT-Generate-HS256).
Resolution
Ensure that the child element <Value> is always defined  in the <PrivateKey> or <SecretKey> elements of the Generate JWT policy.
To correct the example Generate JWT policy shown above, define the child element  <Value> under the <SecretKey> element as shown below:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='string' array='true'/>
    </AdditionalHeaders>
</GenerateJWT>
EmptyElementForKeyConfiguration
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Empty Element for Key Configuration : policy(policy_name) element(element_name).
Example error message
Error Saving Revision 2
Empty Element for Key Configuration : policy(JWT-Generate-HS256) element(SecretKey/Value).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the ref attribute in the child element <Value> of the <PrivateKey> or <SecretKey> elements is not specified or empty.
For example, if the child element <Value> of the  <SecretKey> element is empty, then the error occurs.
Diagnosis
- Identify the name of the Generate JWT policy and the empty element name from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256and the empty element name is- SecretKey/Value.- Empty Element for Key Configuration : policy(JWT-Generate-HS256) element(SecretKey/Value).
- Examine the failed Generate JWT policy XML and verify if the element identified in Step 1 is empty. If it is empty, then that's the cause of the error. - For example, the following policy shows that the child element - <Value>of the- <SecretKey>element is empty:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <ExpiresIn>1h</ExpiresIn> <SecretKey> <Value/> <Id>1918290</Id> </SecretKey> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='string' array='true'/> </AdditionalClaims> </GenerateJWT>- Because the child element - <Value>of the- <SecretKey>element in the Generate JWT policy is empty, you get the error:- Empty Element for Key Configuration : policy(JWT-Generate-HS256) element(SecretKey/Value).
Resolution
Ensure that the ref attribute in the child element <Value> of the <PrivateKey> or <SecretKey> elements is always specified and has the prefix "private.".
To correct  the example Generate JWT policy shown above, use the flow variable private.privatekey in the child element  <Value> of the <SecretKey> element.
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='string' array='true'/>
    </AdditionalHeaders>
</GenerateJWT>
InvalidVariableNameForSecret
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Invalid variable name for secret : policy(policy_name) element(element_name).
Example error message
Error Saving Revision 2
Invalid variable name for secret : policy(JWT-Generate-HS256) element(SecretKey/Value).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the flow variable name specified in the ref attribute in the child element <Value> of the <PrivateKey> or <SecretKey> elements does not include the private prefix (private.).
For example :
If the flow variable name is specified as mykey in the ref attribute of the child element  <Value> of the <PrivateKey> element, then this error occurs.
Diagnosis
- Identify the name of the Generate JWT policy and the name of the element with an invalid variable name from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256and the element name is- SecretKey/Value.- Invalid variable name for secret : policy(JWT-Generate-HS256) element(SecretKey/Value).
- Examine the failed Generate JWT policy XML and verify the variable name used in the element, identified in Step 1. If the variable name does not have the prefix - private., then that's the cause of the error.- For example, the following policy shows that the child element - <Value>of the- <SecretKey>element has the invalid variable name- mykey:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <ExpiresIn>1h</ExpiresIn> <SecretKey> <Value ref="mykey"/> <Id>1918290</Id> </SecretKey> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='string' array='true'/> </AdditionalClaims> </GenerateJWT>- Because the variable name specified in the child element - <Value>of the- <SecretKey>element of the Generate JWT policy does not have the prefix- private., you get the error:- Invalid variable name for secret : policy(JWT-Generate-HS256) element(SecretKey/Value).
Resolution
Ensure that the ref attribute in the child element <Value> of the <PrivateKey> or <SecretKey> elements is always specified and has the prefix private..
To correct the example Generate JWT policy shown above, use the flow variable private.privatekey in the child element  <Value> of the <SecretKey> element:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <ExpiresIn>1h</ExpiresIn>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='string' array='true'/>
    </AdditionalHeaders>
</GenerateJWT>
InvalidSecretInConfig
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Specifying a secret in the configuration is invalid : policy(policy_name) element(element_name).
Example error message
Error Saving Revision 2
Specifying a secret in the configuration is invalid : policy(JWT-Generate-HS256) element(SecretKey/Value).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the value (secret) is specified explicitly in:
- The child elements <Value>or<Password>of the<PrivateKey>element or
- The child element <Value>of the<SecretKey>element
in the Generate JWT policy.
For example, if the secret is specified explicitly as abc in the child element  <Value> of the <SecretKey> element, then this error occurs.
Diagnosis
- Identify the name of the Generate JWT policy and element name in which the secret is explicitly specified from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256and the element name is- SecretKey/Value.- Specifying a secret in the configuration is invalid : policy(JWT-Generate-HS256) element(SecretKey/Value).
- Examine the failed Generate JWT policy XML and verify if the secret is explicitly specified in the element identified in Step 1. If it is specified explicitly, then that's the cause of the error. - For example, the following policy shows that the secret has been specified explicitly in the child element - <Value>of the- <SecretKey>element:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <ExpiresIn>1h</ExpiresIn> <SecretKey> <Value>abc</Value> <Id>1918290</Id> </SecretKey> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='string' array='true'/> </AdditionalClaims> </GenerateJWT>- Because the secret is specified explicitly in the child element - <Value>of the- <SecretKey>element of the Generate JWT policy, you get the error:- Specifying a secret in the configuration is invalid : policy(JWT-Generate-HS256) element(SecretKey/Value).
Resolution
Ensure that the value is always specified as a flow variable in the child element  <Value> of the <PrivateKey> or <SecretKey> elements.
To correct the example Generate JWT policy shown above, use the flow variable private.secretkey in the ref attribute of the child element  <Value> of the <SecretKey>:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <ExpiresIn>1h</ExpiresIn>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='string' array='true'/>
    </AdditionalHeaders>
</GenerateJWT>
InvalidTimeFormat
Error message
Deployment of the API proxy through either the Apigee UI or API fails with this error message:
Error Saving Revision 2 Invalid Time format: policy(policy_name) element(element_name).
Example error message
Error Saving Revision 3
Invalid Time format: policy(JWT-Generate-HS256) element(NotBefore).
Example screenshot
In the Apigee UI, you will see a dialog box with an error:

Cause
This error occurs if the value specified in the <NotBefore> element is not among one of the supported formats:
sortable, RFC 1123, RFC 850, ANCI-C
For example, if the value specified in <NotBefore> is 20-JUN-1990 08:03, which is not a supported format, then this error occurs.
<NotBefore>20-JUN-1990 08:03:00:21-07:00</NotBefore>
Diagnosis
- Identify the name of the Generate JWT policy and the element name which has an invalid time format from the error message. For example, in the following error message, the name of the Generate JWT policy is - JWT-Generate-HS256and the element name is- NotBefore.- Invalid Time format: policy(JWT-Generate-HS256) element(NotBefore).
- Examine the failed Generate JWT policy XML and verify the time format used in the element identified in Step 1. If the element does not use any of the supported formats: - sortable,- RFC 1123,- RFC 850,- ANCI-C- then that's the cause of the error. - For example, the following policy shows that the child element - <NotBefore>uses an unsupported time format:- <GenerateJWT name="JWT-Generate-HS256"> <DisplayName>JWT Generate HS256</DisplayName> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <ExpiresIn>1h</ExpiresIn> <NotBefore>20-JUN-1990 08:03:00:21-07:00</NotBefore> <SecretKey> <Value ref="private.secretkey"/> <Id>1918290</Id> </SecretKey> <Subject>monty-pythons-flying-circus</Subject> <Issuer>urn://apigee-JWT-policy-test</Issuer> <Audience>fans</Audience> <Id/> <AdditionalClaims> <Claim name='claim' ref='reqclaim' type='string' array='true'/> </AdditionalClaims> </GenerateJWT>- Because the element - <NotBefore>of the Generate JWT policy does not use any of the supported time formats, you get the error:- Invalid variable name for secret : policy(JWT-Generate-HS256) element(SecretKey/Value).
Resolution
Ensure the value specified in the <NotBefore> element uses one of the supported formats:
sortable, RFC 1123, RFC 850, ANCI-C
To correct the example Generate JWT policy, modify the date in the <NotBefore> element to use the sortable format as shown below:
<GenerateJWT name="JWT-Generate-HS256">
    <DisplayName>JWT Generate HS256</DisplayName>
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <ExpiresIn>1h</ExpiresIn>
    <NotBefore>2018-08-14T11:00:21-07:00</NotBefore>
    <SecretKey>
        <Value ref="private.secretkey"/>
        <Id>1918290</Id>
    </SecretKey>
    <Subject>monty-pythons-flying-circus</Subject>
    <Issuer>urn://apigee-JWT-policy-test</Issuer>
    <Audience>fans</Audience>
    <Id/>
    <AdditionalHeaders>
        <Claim name='claim' ref='reqclaim' type='string' array='true'/>
    </AdditionalHeaders>
</GenerateJWT>