Data signing

Label data signing

When the label data has been created, it can be signed.


Signing is done via JSON Web Tokens, an open, industry standard RFC 7519 method for representing claims securely between two parties.

The website “” holds all information on this standard. It includes a list of libraries for all programming languages.

Signing involves a private and a public certificate. The private certificate should be secured and protected and only used in one place, on the airline back-end. The public certificate must be shared with BAGTAG so it can be used to validate the data to be signed with the private certificate.

Creating JWT data

Below is a pseudo-code example on creating a signed JWT package.
// Create payload object
var payload = {
    "pnr": "L9XCR2",
    "destinationName": "JFK",
    "sequenceNumber": "001",
    "licensePlateCode": "0220998547",
    "flightdate": "205",
    "flightdateYear": "2019",
    "issuingStation": "JNB",
    "flightData": "SA02042051115JFKX",
    "passengerNameData": "VANZANDT/CHRIS",
    "airlineFrequentFlyerLevel": "Q",
    "showGreenBars": null,
    "optionalData": null,
    "layoutField01": "PRIORITY"

// Read private key
var privateKey = ReadFile('private-key.pem');

// Set algorithm
var alg = JwsAlgorithm.RS512;

// Create JWT package
var signed = jwt.sign(payload, privateKey, alg);

/* signed =  
mG-sjjjUl2VKudeuzF0dP7ub8NYzNSghXRsSbg */
The result from this code is a JWT-signed string that contains a header, payload and signature. This package should be send from the airline backend to the EBT Framework in the mobile app.

Validating can be used to verify a signed jwt package. You’ll need your public key in pem format and a JWT packaged signed with your private key. Paste your signed jwt package and public key into the appropriate boxes.

It is also possible to check the JWT data against the BAGTAG environment. After sending your certificate to BAGTAG you can verify the certificate is correctly installed with the following API call.

The api takes the signed jwt package string as its sole parameter ( ?jwt=eyJhbGci…etc ) via a GET request.

The api will verify your signature and report any error found. If no errors are found the decoded payload of your signed jwt package is echoed back.

Okay! What's next?

Create a certificate to try it out.

Any questions about integration? Reach out to

We're here to help

Please fill in your details and we will contact you.