# Java

To authenticate to the akenza MQTT broker using device credentials, a device must send a JSON Web Token (JWT, [RFC 7519](https://tools.ietf.org/html/rfc7519)).&#x20;

Each JWT is composed of three components: a header, a payload (containing a claim set), and a signature.

The full example can be found [here](https://github.com/akenza-io/akenza-java-examples/blob/main/src/main/java/io/akenza/examples/mqtt/MqttExample.java).

### Using an RSA Private Key

{% code lineNumbers="true" %}

```java
/**
 * Create a JWT for the given device id, signed with the given RSA private key.
 */
private static String createJwtRS(String privateKeyFile, String audience, String deviceId, int tokenExpMinutes) throws JOSEException, IOException {
    String keyString = Files.readString(Paths.get(privateKeyFile));
    JWK jwk = JWK.parseFromPEMEncodedObjects(keyString);
    RSAKey rsaKey = jwk.toRSAKey();
    
    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
            .subject(deviceId)
            .audience(String.format("https://%s/devices/%s", audience, deviceId))
            .expirationTime(Date.from(Instant.now().plus(Duration.ofMinutes(tokenExpMinutes))))
            .issueTime(Date.from(Instant.now()))
            .build();

    var header = new JWSHeader.Builder(JWSAlgorithm.RS256)
            .build();

    SignedJWT signedJWT = new SignedJWT(header, claimsSet);
    JWSSigner signer = new RSASSASigner(rsaKey);
    signedJWT.sign(signer);

    return signedJWT.serialize();
}
```

{% endcode %}

### Using an EC Private Key

```java
/**
 * Create a JWT for the given device id, signed with the given elliptic curve private key.
 */
private static String createJwtES(String privateKeyFile, String audience, String deviceId, int tokenExpMinutes) throws JOSEException, IOException {
    String keyString = Files.readString(Paths.get(privateKeyFile));
    JWK jwk = JWK.parseFromPEMEncodedObjects(keyString);
    ECKey ecKey = jwk.toECKey();

    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
            .subject(deviceId)
            .audience(String.format("https://%s/devices/%s", audience, deviceId))
            .expirationTime(Date.from(Instant.now().plus(Duration.ofMinutes(tokenExpMinutes))))
            .issueTime(Date.from(Instant.now()))
            .build();

    var header = new JWSHeader.Builder(JWSAlgorithm.ES256)
            //TODO if multiple certificates are in use, provide the fingerprint
            //.keyID(getFingerPrint(publicKeyPEM))
            .build();

    SignedJWT signedJWT = new SignedJWT(header, claimsSet);
    JWSSigner signer = new ECDSASigner(ecKey);
    signedJWT.sign(signer);
    
    return signedJWT.serialize();
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.akenza.io/akenza.io/get-started/your-data-flow/device-connector/device-security/using-device-credentials/using-json-web-tokens-jwts/java.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.