Skip to content


Authentication concerns the confirmation of user identity. The Noumena platform delegates user authentication to an OpenID Connect-compliant Identity and Access Management (IAM) service (e.g. Keycloak). Further details on IAM configuration can be found here. JSON Web Tokens (JWTs) should be obtained from the IAM and attached to all platform requests.

JWT specification

JWTs must be issued by an Identity and Access Management (IAM) provider that is compliant with the OpenID Connect Core 1.0 specification.

Since the authentication is provided by an external provider and the JWT is a standardized specification, its fields and structure are not managed by the engine.

Example of a valid JWT

        "iss": "",
        "sub": "12345",
        "exp": 1630497600,
        "iat": 1630490400,
        "org": "Noumena Digital AG",
        "department": [
        "roles": [


The token's user identifier (sub) becomes part of the platform engine's audit trail, but is otherwise immaterial to the functioning of the platform.

Reserved claims

Some claims defined by the JWT standard do not make sense for controlling party assignments. For example, claims like iat (issued at) will have a different value whenever the JWT is refreshed. The required fields will be enforced by the OpenID Connect-compliant IAM. To prevent accidental use of such claims, the following claims are actively ignored:

  • acr
  • allowed-origins
  • auth_time
  • azp
  • exp
  • iat
  • nbf
  • jti
  • realm_access
  • resource_access
  • session_state
  • sid
  • sub
  • typ