Security

The following contents describe how to generate JWT (JSON Web Token).
It follows RFC 7519 specification. For more details, refer to 'https://jwt.io'

Card Data Token

For secure data inter-communication, the token must be encrypted and signed using security factors.
See a chapter Security factors for details.

JWT Details

JWE Format

[JWE Header]

JWE Header Requirement Description
alg Mandatory Cryptographic algorithm used to encrypt the Content Encryption Key (CEK).
e.g., RSA1_5

enc Mandatory Content encryption algorithm used to perform authenticated encryption on the plaintext to produce the ciphertext.

[JWE Payload]

JWE Payload Requirement Description
encrypted_key Mandatory Contains the BASE64URL (JWE Encrypted Key) value.
The Content Encryption Key is encrypted with the Public Key.

iv Mandatory Contains the BASE64URL (JWE Initialization Vector) value.
Initialization vector used in the encryption algorithm.

ciphertext Mandatory Ciphertext value resulting from authenticated encryption of the ‘cdata’ object, which is encrypted using ‘encrypted_key’ and ‘iv’.
authentication tag Mandatory Contains the BASE64URL (JWE Authentication Tag) value, used for verifying the integrity of the ciphertext.

[JWE Example]

BASE64URL (UTF8 (JWE Header)) + '.' +
BASE64URL (JWE encrypted_key) + '.' +
BASE64URL (JWE iv) + '.' +
BASE64URL (JWE ciphertext) + '.' +
BASE64URL (JWE authentication tag)

JWE Header

{"enc":"A128GCM","alg":"RSA1_5"}

JWE Payload: ciphertext

Refer to sheets on ‘Add to Wallet’ interfaces, and Attributes

Result

eyJraWQiOiJXTFQuUFVCS0VZIiwiZW5jIjoiQTEyOEdDTSIsImFsZyI6IlJTQTFfNSJ9.ABO_Ci81BtJ2d1a8TCgKfWBx9WpRI4TkhHZwmS8swct_2nNZHAsI_nKLmj3wnKM5gwaoUny14ZX_6EoZhJ6TdIicUQ-raIRs6woESu8XA2dT1sC5l17wu9WdsgOK4anJ0KIUNII4PLeR3d-4foX1Hx1fok9sIwWqqFql4vnqg3hE-i4J6cyWOYBphzNYBMKyyNkIqFczl6lbTTEhc4TDAOrPKWra3VMB0BBz5NyzF1axzFk-17tZ0GfhS82A7GL9REj1K5B10_2qfGmhTtfFVcyYTMKv3InMaHQ0b48L3SK1oPPmFCuqigYMVLUDbg_QWdnBl9eIlInOjjt8Ar2NUA.ZviyGHUSi5Fb2Rl2.gm5ivizrQQdR8NPK1N2qREyAI4MD-FISfWTBBBgEbhNhjMnu-c_o1YUYRvdhCm0Ki_rvcDNZKDLcP_g7shSkMRoYin3bI92qgtkFh2V4Y-kCuG2DvGV9UIV3oxaWvlIKfcNtmZiZj3ThV_FUE7JrNrbwf2XMVIwsQo5b0lmoUsKbHuHasqIlRE0RtC1fgn03qFE_E-B87vht5En2PnBYDJv-6_8g3aesSyodvHyzYaYonLxW_KWqiF-i5AUwFiIgK5LgVmUz9DSl6-QKgYiz5pl9nyydJjjpIlibtuaLYvzB1CH-gskwEUhiMl62ZR-Chz2Ado8Vn0SRoCcJHcaX6PBSP3x6FhyXHr65BJZAn4lMDfSsKN92bcFycLX8J_pgRLM4VUI_-Kx1lWpArkwRtYxmEbKMJ-2w8NUMRNnpGt2ERLo_hVtZ8Xh1kopvqjLdjdG_QqfU_OEWO3HvuNKGQeu3QhI6EyWvarb7OZsIsz-F95O7K-KQtJhfBWz_YrA2NxD2Bcgc9uA966_9uQ4oMBwA-8FccAWPxYYU4vZBz_ycV25j8GrdqHHTw6n9TKZy4Nu07jIT4cCoFVu5N_Gsyn1qoWD11-_lMk8aMF-L5dDipvrun7DEalJD8Me4NsAAkESLQfKz_sddSu0-05icfKm33qUQP6fzn5OcY6Dmn5kZBVQXZHgHCG_A_K1xQQlX_kuPL4JSAxCNCiUYPTDqbc0HxXwUiYrM3tCDe6piCymGCbPKC205NiylD-6eN43dI4yKC029YQx8rSLDOAA6RWvp-ZEHdKxyNyIlJA-_8Fw4iOqp6vK98AjZ5T-ajQDK1h6n_opt-ZCJkJZz-7r2x07BSa_5ng7iwamBRSv1deFxhIyV-EsCe1MEif-na_411hGpJA-GwCzp_wsSWlqra0RPDq208lY70XPPu4H_3EH_6q8cy5YhHnS93VfUO0NSQfNiKeR25zwNID39zoiyj_de9gZjaWXa3k0TPrPn5MfdpXVTD0-ro4oqI34ab62-rUBCdYdsmTGgIHZY3sHLGtyAfrBzHMPMDKAUOJ9BUIRaSqpnr4NaHfq_S1m1Uy5pEEQ3j0bOzmcc4UAsNQQnrreLqm8bKFQI41GgJRJm9UvkCR-PMFOnSHeOqjmce6ZKua1qTOEFXYcdFOejBjqDBcyCNoqGuGoDlqn2-3MkGGrpVQVYAolOMyKC_Sl8kpDvjXNtKggzQB9VnlnlQ9_fY3hmyor0ZEExyTajfua-4IlsFKG3crQkx3scCSp-W6rf7vfzX5vDhqbHFZbHbuXYpFj1bDmIs_w-xQDVr1KgblzMsW9gRBwM2MK8rt9QPziNHcaQfV2dQaGQth4VyUCcq0mJCS5QgnBKwdiGGVxfk7BhwHK2jrW3K4egjQNa9LSSNhCjhQZ69M16iVBffktnz5oT0L-nPKcQEIfiA-rjmwYy6BEodZi8S7S4l4YvLmvjjiDuJxKB7ZsQUSVrVizPljMk1RsbvgwW7rfOJLcI9ed-mHpsMxvepj2UxEZXU95Z_vX7i8xGSZxmlWrmSI0EEPA5TL7GQfxfIMtV4V_O8RjIIPQtDJMkENKFlNVkn8Wio7nosfYAk1gplxkPR2SCIElTCIRPweu_4y56Yq3wxbVnwCAX7yyjyTuBIRk30zNW84oMYYlJC67wntyBEqi3TY1vz6Wxraenn_dNwIku-RY_bvC9BJWZPgDNpZdTdqnDhiJLEyK9zhZcwvjHVom7VMS4CLJs6NdqVm9yeilk55H-EJn22-1n1u6pMjeyFBvtY0zFrf57sidTcItsEEJMhbM1UqdSK3RpFxv2HC0DYY9Ok7uAsDsIFWhKCZMue4QyUrd3Y4WvZHjjAPRXqEQoJfaVZ-Vt-331jVaJGkzIifMPuYFck-kYRqbQ193UYa9SY6E-7EreId3Cy7GYlP9-TFSUgoBPULNyDiEAmtQI1zaepwJKjqS9LJoFdOOjhXbqZy0-spItgLnBMtuxpxQH6phH34vdb2fCgjtTC8h1vp3_A0LvxxzuMdU3JYpc9ltqMXxG7XZ4h4UQrvIS2qm3XQwUB1uTO9SyhfNPf16h0-U8BQdOFG-YYbA-QN_AWN4UFS2FTFY-7yD1isp0G31LIFmORpLeHz0pcgEfO-MayacxsVGIOptn67EnMwe_GrdwKzV27DeoczTmCn_Fb7QVTDsLE881RFz7LrhMiTIUITdo4E0FkWUaZ1CoHrBpBhZmG30tLjbxYdB-lFq74rXfdC1eOBJ0vPcdAxomyA9EOXCNt70ttI16FR3lxjdYSGQv_iHtfkdauMMFYOJjH_W9ZagIWb2uxMhNG0A3MpT8R80HZBPpvH3HSb2uezWw8AqTlmkAlqF0g6nZqM181z46gNKZ7w3h8a29-yCi0yPz_m0POFIhnWjrEndjKew6aZoDEHwyUPsnO7y93QDc8kHhPzb84bkAhBC2SYe8wGvgMrhFIwSigfht_G3M8Nlt3vfAsQe98two0Tzu3K72KmoD8khdw6Xq6OalXobA1M9wfi51Wmjji8yr4TY-7pqDc51OmbxSQUrAO0-6Puja5DUFUIOQ3yZM0iWR1YJciqAoFp-XWN9CrH287vJZhW2s4Ges8S-Wuda9yu61u3b1pwR0fYsEOUzQuaY_t3qkZiaGhvZ0A2nEFdY2wkTmaonidqtsku8rhPKnqaLRC_ydnvyQOOxnrDwJRXxILuTVlaaQmYgTl0zesSRvpkH4InkIU0ikBDCeQVnLCJqNuYMc5u_DTIc-pb7E9H4zWxm3TAlMLzoC-v1u0sHzaqok3tvIXA9uy9i3qvPz1reALWg7w1yqQUhPd-6PGolbddFqWXEkb43JtRy3wnxJIZCGZoqwiUvPdHpzm0CyfzLx71cBcpyC3Lkg_pDUWKB2qJV2HjodUSvStv8.bv9p-aoAIt1mfIJsWZevSg

JWS Format

[JWS Header]

JWS Header Requirement Description
alg Mandatory Cryptographic algorithm used to generate signature
e.g., RS256

cty Mandatory Payload content type
Set as ‘CARD’

ver Mandatory Token version.
Set as 2.

partnerId Mandatory Partner identifier.
utc Mandatory Creation time. To prevent repeated use, the token expires after a certain period of time.
Unix timestamp in milliseconds.
*Time offset from UTC of +00:00

[JWS Payload]

JWS Payload Requirement Description
JWE compact serialization Mandatory Contains BASE64URL (JWE) value.

[JWS Signature]

JWS Signature Requirement Description
JWS Signature Mandatory BASE64URL (
  Signature of(
    BASE64URL(UTF8(JWS Header)) + '.' + BASE64URL(JWS Payload))
  )
)

[JWS Example]

BASE64URL (UTF8 (JWS Header)) +'.' +
BASE64URL (JWS Payload) + '.' +
BASE64URL (JWS Signature)

JWS Header:

{"cty":"CARD","ver":2,"partnerId":"1234567890","utc":1631776245876,"alg":"RS256"}

JWS Payload

JWE Result

Result:

eyJjdHkiOiJQQVNTIiwidmVyIjoxLCJwYXJ0bmVySWQiOiIxMjM0NTY3ODkwIiwidXRjIjoxNjM1ODQ1ODU2MjQ0LCJhbGciOiJSUzI1NiIsImtpZCI6IlBUTi5QUklLRVkifQ.ZXlKcmFXUWlPaUpYVEZRdVVGVkNTMFZaSWl3aVpXNWpJam9pUVRFeU9FZERUU0lzSW1Gc1p5STZJbEpUUVRGZk5TSjkuQUJPX0NpODFCdEoyZDFhOFRDZ0tmV0J4OVdwUkk0VGtoSFp3bVM4c3djdF8ybk5aSEFzSV9uS0xtajN3bktNNWd3YW9VbnkxNFpYXzZFb1poSjZUZElpY1VRLXJhSVJzNndvRVN1OFhBMmRUMXNDNWwxN3d1OVdkc2dPSzRhbkowS0lVTklJNFBMZVIzZC00Zm9YMUh4MWZvazlzSXdXcXFGcWw0dm5xZzNoRS1pNEo2Y3lXT1lCcGh6TllCTUt5eU5rSXFGY3psNmxiVFRFaGM0VERBT3JQS1dyYTNWTUIwQkJ6NU55ekYxYXh6RmstMTd0WjBHZmhTODJBN0dMOVJFajFLNUIxMF8ycWZHbWhUdGZGVmN5WVRNS3YzSW5NYUhRMGI0OEwzU0sxb1BQbUZDdXFpZ1lNVkxVRGJnX1FXZG5CbDllSWxJbk9qanQ4QXIyTlVBLlp2aXlHSFVTaTVGYjJSbDIuZ201aXZpenJRUWRSOE5QSzFOMnFSRXlBSTRNRC1GSVNmV1RCQkJnRWJoTmhqTW51LWNfbzFZVVlSdmRoQ20wS2lfcnZjRE5aS0RMY1BfZzdzaFNrTVJvWWluM2JJOTJxZ3RrRmgyVjRZLWtDdUcyRHZHVjlVSVYzb3hhV3ZsSUtmY050bVppWmozVGhWX0ZVRTdKck5yYndmMlhNVkl3c1FvNWIwbG1vVXNLYkh1SGFzcUlsUkUwUnRDMWZnbjAzcUZFX0UtQjg3dmh0NUVuMlBuQllESnYtNl84ZzNhZXNTeW9kdkh5ellhWW9uTHhXX0tXcWlGLWk1QVV3RmlJZ0s1TGdWbVV6OURTbDYtUUtnWWl6NXBsOW55eWRKampwSWxpYnR1YUxZdnpCMUNILWdza3dFVWhpTWw2MlpSLUNoejJBZG84Vm4wU1JvQ2NKSGNhWDZQQlNQM3g2Rmh5WEhyNjVCSlpBbjRsTURmU3NLTjkyYmNGeWNMWDhKX3BnUkxNNFZVSV8tS3gxbFdwQXJrd1J0WXhtRWJLTUotMnc4TlVNUk5ucEd0MkVSTG9faFZ0WjhYaDFrb3B2cWpMZGpkR19RcWZVX09FV08zSHZ1TktHUWV1M1FoSTZFeVd2YXJiN09ac0lzei1GOTVPN0stS1F0SmhmQld6X1lyQTJOeEQyQmNnYzl1QTk2Nl85dVE0b01Cd0EtOEZjY0FXUHhZWVU0dlpCel95Y1YyNWo4R3JkcUhIVHc2bjlUS1p5NE51MDdqSVQ0Y0NvRlZ1NU5fR3N5bjFxb1dEMTEtX2xNazhhTUYtTDVkRGlwdnJ1bjdERWFsSkQ4TWU0TnNBQWtFU0xRZkt6X3NkZFN1MC0wNWljZkttMzNxVVFQNmZ6bjVPY1k2RG1uNWtaQlZRWFpIZ0hDR19BX0sxeFFRbFhfa3VQTDRKU0F4Q05DaVVZUFREcWJjMEh4WHdVaVlyTTN0Q0RlNnBpQ3ltR0NiUEtDMjA1Tml5bEQtNmVONDNkSTR5S0MwMjlZUXg4clNMRE9BQTZSV3ZwLVpFSGRLeHlOeUlsSkEtXzhGdzRpT3FwNnZLOThBalo1VC1halFESzFoNm5fb3B0LVpDSmtKWnotN3IyeDA3QlNhXzVuZzdpd2FtQlJTdjFkZUZ4aEl5Vi1Fc0NlMU1FaWYtbmFfNDExaEdwSkEtR3dDenBfd3NTV2xxcmEwUlBEcTIwOGxZNzBYUFB1NEhfM0VIXzZxOGN5NVloSG5TOTNWZlVPME5TUWZOaUtlUjI1endOSUQzOXpvaXlqX2RlOWdaamFXWGEzazBUUHJQbjVNZmRwWFZURDAtcm80b3FJMzRhYjYyLXJVQkNkWWRzbVRHZ0lIWlkzc0hMR3R5QWZyQnpITVBNREtBVU9KOUJVSVJhU3FwbnI0TmFIZnFfUzFtMVV5NXBFRVEzajBiT3ptY2M0VUFzTlFRbnJyZUxxbThiS0ZRSTQxR2dKUkptOVV2a0NSLVBNRk9uU0hlT3FqbWNlNlpLdWExcVRPRUZYWWNkRk9lakJqcURCY3lDTm9xR3VHb0RscW4yLTNNa0dHcnBWUVZZQW9sT015S0NfU2w4a3BEdmpYTnRLZ2d6UUI5Vm5sbmxROV9mWTNobXlvcjBaRUV4eVRhamZ1YS00SWxzRktHM2NyUWt4M3NjQ1NwLVc2cmY3dmZ6WDV2RGhxYkhGWmJIYnVYWXBGajFiRG1Jc193LXhRRFZyMUtnYmx6TXNXOWdSQndNMk1LOHJ0OVFQemlOSGNhUWZWMmRRYUdRdGg0VnlVQ2NxMG1KQ1M1UWduQkt3ZGlHR1Z4Zms3Qmh3SEsyanJXM0s0ZWdqUU5hOUxTU05oQ2poUVo2OU0xNmlWQmZma3RuejVvVDBMLW5QS2NRRUlmaUEtcmptd1l5NkJFb2RaaThTN1M0bDRZdkxtdmpqaUR1SnhLQjdac1FVU1ZyVml6UGxqTWsxUnNidmd3VzdyZk9KTGNJOWVkLW1IcHNNeHZlcGoyVXhFWlhVOTVaX3ZYN2k4eEdTWnhtbFdybVNJMEVFUEE1VEw3R1FmeGZJTXRWNFZfTzhSaklJUFF0REpNa0VOS0ZsTlZrbjhXaW83bm9zZllBazFncGx4a1BSMlNDSUVsVENJUlB3ZXVfNHk1NllxM3d4YlZud0NBWDd5eWp5VHVCSVJrMzB6Tlc4NG9NWVlsSkM2N3dudHlCRXFpM1RZMXZ6Nld4cmFlbm5fZE53SWt1LVJZX2J2QzlCSldaUGdETnBaZFRkcW5EaGlKTEV5Szl6aFpjd3ZqSFZvbTdWTVM0Q0xKczZOZHFWbTl5ZWlsazU1SC1FSm4yMi0xbjF1NnBNamV5RkJ2dFkwekZyZjU3c2lkVGNJdHNFRUpNaGJNMVVxZFNLM1JwRnh2MkhDMERZWTlPazd1QXNEc0lGV2hLQ1pNdWU0UXlVcmQzWTRXdlpIampBUFJYcUVRb0pmYVZaLVZ0LTMzMWpWYUpHa3pJaWZNUHVZRmNrLWtZUnFiUTE5M1VZYTlTWTZFLTdFcmVJZDNDeTdHWWxQOS1URlNVZ29CUFVMTnlEaUVBbXRRSTF6YWVwd0pLanFTOUxKb0ZkT09qaFhicVp5MC1zcEl0Z0xuQk10dXhweFFINnBoSDM0dmRiMmZDZ2p0VEM4aDF2cDNfQTBMdnh4enVNZFUzSllwYzlsdHFNWHhHN1haNGg0VVFydklTMnFtM1hRd1VCMXVUTzlTeWhmTlBmMTZoMC1VOEJRZE9GRy1ZWWJBLVFOX0FXTjRVRlMyRlRGWS03eUQxaXNwMEczMUxJRm1PUnBMZUh6MHBjZ0VmTy1NYXlhY3hzVkdJT3B0bjY3RW5Nd2VfR3Jkd0t6VjI3RGVvY3pUbUNuX0ZiN1FWVERzTEU4ODFSRno3THJoTWlUSVVJVGRvNEUwRmtXVWFaMUNvSHJCcEJoWm1HMzB0TGpieFlkQi1sRnE3NHJYZmRDMWVPQkowdlBjZEF4b215QTlFT1hDTnQ3MHR0STE2RlIzbHhqZFlTR1F2X2lIdGZrZGF1TU1GWU9KakhfVzlaYWdJV2IydXhNaE5HMEEzTXBUOFI4MEhaQlBwdkgzSFNiMnVleld3OEFxVGxta0FscUYwZzZuWnFNMTgxejQ2Z05LWjd3M2g4YTI5LXlDaTB5UHpfbTBQT0ZJaG5XanJFbmRqS2V3NmFab0RFSHd5VVBzbk83eTkzUURjOGtIaFB6Yjg0YmtBaEJDMlNZZTh3R3ZnTXJoRkl3U2lnZmh0X0czTThObHQzdmZBc1FlOTh0d28wVHp1M0s3Mkttb0Q4a2hkdzZYcTZPYWxYb2JBMU05d2ZpNTFXbWpqaTh5cjRUWS03cHFEYzUxT21ieFNRVXJBTzAtNlB1amE1RFVGVUlPUTN5Wk0waVdSMVlKY2lxQW9GcC1YV045Q3JIMjg3dkpaaFcyczRHZXM4Uy1XdWRhOXl1NjF1M2IxcHdSMGZZc0VPVXpRdWFZX3QzcWtaaWFHaHZaMEEybkVGZFkyd2tUbWFvbmlkcXRza3U4cmhQS25xYUxSQ195ZG52eVFPT3huckR3SlJYeElMdVRWbGFhUW1ZZ1RsMHplc1NSdnBrSDRJbmtJVTBpa0JEQ2VRVm5MQ0pxTnVZTWM1dV9EVEljLXBiN0U5SDR6V3htM1RBbE1Mem9DLXYxdTBzSHphcW9rM3R2SVhBOXV5OWkzcXZQejFyZUFMV2c3dzF5cVFVaFBkLTZQR29sYmRkRnFXWEVrYjQzSnRSeTN3bnhKSVpDR1pvcXdpVXZQZEhwem0wQ3lmekx4NzFjQmNweUMzTGtnX3BEVVdLQjJxSlYySGpvZFVTdlN0djguYnY5cC1hb0FJdDFtZklKc1daZXZTZw.BwqNQ5n8apKEs9fbB4htdQBtErdKlAZTmphx6r_h7k7og4lx3gMgdS3FEp6o4CS6jTTUTOSt6gDmuDWZOzZtpTWeTj64P4oF1WLzKF6tX8alrkaiQR2npTXh_ah87BkW69myzaKb4D9obNgp7qdk7IzgkpQ180olmBtPxIV-wkiN92F6n2fpOI5Bt1wS_hH8wxGlA6NKm0s-ROaYL7GtvgBS6gOHKhvGaXnhesQY7KZgQTE9OrCc_fliqyyRABHtpgyBwb7Wp0hPodZQ0dPaduMKkprs05VidFZJUfxduYc7ZbZE-g_tiXrJK3Linf4rNZXyI0gOhBW5GRPHu3wlTg

Authorization Token

Restful API needs to include an authentication token (JWT). Samsung and partners can use the token to authenticate API
calls.

JWT Details

[JWS Header]

JWS Header Requirement Description
alg Mandatory Cryptographic algorithm used to sign the payload.
e.g., RS256

cty Mandatory Payload content type
*such as 'AUTH'

ver Mandatory Token version.
Set as 2.

partnerId Mandatory Partner ID.
utc Mandatory Creation time.
To prevent repeated use, the token expires after a certain period of time. Unix timestamp in milliseconds.
*Time offset from UTC of +00:00

[JWS Payload]

JWE Payload Requirement Description
API Mandatory Current API information.
API.method Mandatory API method.
API.path Mandatory API path.
refId Optional A unique content identifier defined by the content provider

[Authentication Token Example]

JWS Header:

{"cty":"AUTH","ver":1,"partnerId":"1234567890","utc":1631775948348,"alg":"RS256"}

JWS Payload:

*Samsung Server API > Update Notification
{
    "API": {
        "method": "POST",
        "path": "/wltex/cards/12584806754/notification"
    },
    "refId": " ref-20230304-0003"
}

*Partner Server API > Get Card Data 
{
    "API": {
        "method": "GET",
        "path": "/cards/12584806754/ref-20230304-0003"
    },
    "refId": "ref-20230304-0003"
}

JWS Result:

eyJjdHkiOiJBVVRIIiwidmVyIjoxLCJwYXJ0bmVySWQiOiIxMjM0NTY3ODkwIiwidXRjIjoxNjMxNzc1OTQ4MzQ4LCJhbGciOiJSUzI1NiIsImtpZCI6IldMVC5QUklLRVkifQ.ewogICAgIkFQSSI6IHsKICAgICAgICAibWV0aG9kIjogIkdFVCIsCiAgICAgICAgInBhdGgiOiAiL2NhcmQvQ1MxNjEzODM1MzIxMjU4NDgwNjc1NCIKICAgIH0sCiAgICAicmVmSWQiOiAiQ1MxNjEzODM1MzIxMjU4NDgwNjc1NCIKfQo.AscAwII-aMbJKoly_AuZagxrwUUmKfUhBZnrLk0YkvByOg2dSLJs-_xyQ9toOh4cWSfpKeJ0VqkWBYROKABkhwMRdbKjrAjeAQ-87s-bQp1RCBeLNzMFq66gCmbg9xpD6dmwWlnRAzySZjrcyZklLu9si5qYKrkyUOz34MCWzwdNeOs3z3Gl1xft42M2-cDUxKQWi0WfrYAnxIEdWboIYu12SDnPsRBWlb7liW4oMM6fg01diRTbK6AYumbf7Zqjl_oygeLv9JFDYOzE0TQykLtTSHGdws7IMyamhA5nhaGPlhqIVzAQooSA14gBCm1U0zDqw4JQa4-1Vgjr_i5XEA

[Sample code implementation]

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.RSAKey;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
 
public class JwtManager {
 
    public String generate(String partnerId, PublicKey samsungPubKey, PublicKey partnerPubkey, PrivateKey partnerPrivKey, String data) {
        EncryptionMethod jweEnc = EncryptionMethod.A128GCM;
        JWEAlgorithm jweAlg = JWEAlgorithm.RSA1_5;
        JWEHeader jweHeader = new JWEHeader.Builder(jweAlg, jweEnc).build();
        RSAEncrypter encrypter = new RSAEncrypter((RSAPublicKey) samsungPubKey);
        JWEObject jwe = new JWEObject(jweHeader, new Payload(data));
        try {
            jwe.encrypt(encrypter);
        } catch (JOSEException e) {
            e.printStackTrace();
        }
        String payload = jwe.serialize();
 
        JWSAlgorithm jwsAlg = JWSAlgorithm.RS256;
        String cty = "CARD";
        String ver = "1";
        Long utc = System.currentTimeMillis();
 
        JWSHeader jwsHeader = new JWSHeader.Builder(jwsAlg)
                .contentType(cty)
                .customParam("partnerId", partnerId)
                .customParam("ver", ver)
                .customParam("utc", utc)
                .build();
 
        JWSObject jwsObj = new JWSObject(jwsHeader, new Payload(payload));
 
        RSAKey rsaJWK 
= new RSAKey.Builder((RSAPublicKey)partnerPubkey)
.privateKey(partnerPrivKey)
.build();
        JWSSigner signer = null;
        try {
            signer = new RSASSASigner(rsaJWK);
            jwsObj.sign(signer);
        } catch (JOSEException e) {
            e.printStackTrace();
        }
        return jwsObj.serialize();
    }
}

*Refer to Java and Android library 'Nimbus JOSE+JWT'