# Security

## Generate JWT tokens from custom claims

> Creates one or more JWT tokens with custom claims for advanced authentication scenarios.\
> \
> \## Use Cases\
> \- Testing and development\
> \- Service-to-service authentication\
> \- Custom identity workflows\
> \- Token migration scenarios\
> \
> \## Authorization\
> Requires \<c>AuthenticationToken.Write\</c> scope - restricted to authorized administrators and services.\
> \
> \## Validity Duration\
> \- Default: 10 years (3650.00:00:00.000)\
> \- Configurable via query parameter in TimeSpan format\
> \- Examples: \<c>1.00:00:00\</c> (1 day), \<c>30.00:00:00\</c> (30 days)\
> \
> \## Request Format\
> Accepts an array of claim sets, where each set generates one token:\
> \<c>\[\[{\\"type\\": \\"sub\\", \\"value\\": \\"user123\\"}, {\\"type\\": \\"email\\", \\"value\\": \\"<user@example.com>\\"}]]\</c>\
> \
> \## Security Warning\
> Generated tokens have full authentication authority. Protect endpoint access and token distribution carefully.

```json
{"openapi":"3.1.1","info":{"title":"Neostore internal API","version":"v1"},"tags":[{"name":"Security"}],"servers":[{"url":"https://app.neostore.cloud","description":"Production Server"},{"url":"https://app-qa.neostore.cloud","description":"Staging Server"}],"security":[{"admin-bearer":["ScopedAuthorizeRequirement"]},{"apiKey":["ScopedAuthorizeRequirement"]}],"components":{"securitySchemes":{"admin-bearer":{"type":"oauth2","flows":{"implicit":{"authorizationUrl":"https://auth.neostore.cloud/authorize?audience=https://app.neostore.cloud/api/","scopes":{}}}},"apiKey":{"type":"apiKey","name":"X-API-KEY","in":"header"}},"schemas":{"WebClaim":{"type":"object","properties":{"type":{"type":"string","description":"claim type"},"value":{"type":"string","description":"Value"},"valueType":{"type":["null","string"],"description":"optional value type"}},"additionalProperties":false,"description":"Claim to generate JWT token for"},"ProblemDetails":{"type":"object","properties":{"type":{"type":["null","string"]},"title":{"type":["null","string"]},"status":{"type":["null","integer"],"format":"int32"},"detail":{"type":["null","string"]},"instance":{"type":["null","string"]}},"additionalProperties":{}},"HttpValidationProblemDetails":{"type":"object","allOf":[{"$ref":"#/components/schemas/ProblemDetails"}],"properties":{"errors":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}}},"additionalProperties":{}}}},"paths":{"/api/{tenantId}/tokens/generate":{"post":{"tags":["Security"],"summary":"Generate JWT tokens from custom claims","description":"Creates one or more JWT tokens with custom claims for advanced authentication scenarios.\n\n## Use Cases\n- Testing and development\n- Service-to-service authentication\n- Custom identity workflows\n- Token migration scenarios\n\n## Authorization\nRequires <c>AuthenticationToken.Write</c> scope - restricted to authorized administrators and services.\n\n## Validity Duration\n- Default: 10 years (3650.00:00:00.000)\n- Configurable via query parameter in TimeSpan format\n- Examples: <c>1.00:00:00</c> (1 day), <c>30.00:00:00</c> (30 days)\n\n## Request Format\nAccepts an array of claim sets, where each set generates one token:\n<c>[[{\\\"type\\\": \\\"sub\\\", \\\"value\\\": \\\"user123\\\"}, {\\\"type\\\": \\\"email\\\", \\\"value\\\": \\\"user@example.com\\\"}]]</c>\n\n## Security Warning\nGenerated tokens have full authentication authority. Protect endpoint access and token distribution carefully.","parameters":[{"name":"validityDuration","in":"query","description":"Optional validity duration in TimeSpan format (e.g., \"1.00:00:00\" for 1 day). Default is 10 years","schema":{"type":"string"}},{"name":"tenantId","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"description":"Array of claim sets; each set generates one JWT token","content":{"application/json":{"schema":{"type":"array","items":{"type":"array","items":{"description":"Claim to generate JWT token for","$ref":"#/components/schemas/WebClaim"}}}},"text/json":{"schema":{"type":"array","items":{"type":"array","items":{"description":"Claim to generate JWT token for","$ref":"#/components/schemas/WebClaim"}}}},"application/*+json":{"schema":{"type":"array","items":{"type":"array","items":{"description":"Claim to generate JWT token for","$ref":"#/components/schemas/WebClaim"}}}}}},"responses":{"200":{"description":"Tokens generated successfully.","content":{"text/plain":{"schema":{"type":"array","items":{"type":"string"}}},"application/json":{"schema":{"type":"array","items":{"type":"string"}}},"text/json":{"schema":{"type":"array","items":{"type":"string"}}}}},"401":{"description":"Caller not authenticated.","content":{"text/plain":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"text/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}}}},"403":{"description":"Caller lacks AuthenticationToken.Write scope.","content":{"text/plain":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"text/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}}}},"500":{"description":"Unexpected server error."}}}}}}
```