Thanks for that information. For A256KW, the length of the Key Encryption Key must be 256 bits.

Your configuration shows the SecretKey element like this:

  <SecretKey>
    <Value ref='private.key'/>
  </SecretKey>

You did not specify an encoding attribute on the Value element. By default, Apigee will decode the string you pass as the secret key, via UTF-8. That means for each character in the string, Apigee will decode 8 bits. If you pass a string of length 64, Apigee will return a key that is 64 * 8 = 512 bits long. That's too long! Which is why you see the error you see.

Actually the error message indicates "Insufficient Key Length" which suggests the key you provided is too short. But that's not correct. Really the message should read "Inappropriate Key Length", meaning that the key is not the right length for the algorithm you specified. Sorry about the confusion here! The exception is expected, the message could be better.

From the format of the key value, I am guessing that your intent is for Apigee to decode that string from a HEX (or base16) encoding. 64 characters of Hex would give you 4 bits per character, which is 64 *4 = 256 bits total, and that is the correct length of key for A256KW. To do that, you need this configuration:

  <SecretKey encoding='hex'>
    <Value ref='private.key' />
  </SecretKey>

Hex decoding will work only for keys that use only HEX digits in the key string: 0-9A-F.

When I try this without the encoding attribute, I see the behavior you reported. When I try it with the encoding attribute specifying "hex", the policy succeeds in generating the encrypted JWT.

Looking now at the documentation for the policy, I can see that the encoding attribute is not documented! I'll get that fixed.

In lieu of official documentation: you can use hex, base16 , base64, base64url or utf-8 for the value of the encoding attribute for the SecretKey/Value. base16 is a synonym for hex. The default is to decode via UTF-8.