To update the claims mapper (the Jsonnet template) of a JWT tokenizer in Ory without changing the JWK (JSON Web Key Set), you only need to update the claims_mapper_url field in your tokenizer template configuration. The jwks_url (which points to your JWK) can remain unchanged. Here’s how you can do it: 1. Prepare your new Jsonnet claims mapper and encode it in base64:

cat new-claims-mapper.jsonnet | base64

2. Patch your identity config to update only the claims_mapper_url for your tokenizer template. For example, if your template is called jwt_example_template1:

ory patch identity-config --project <project-id> --workspace <workspace-id> \      --replace '/session/whoami/tokenizer/templates/jwt_example_template1/claims_mapper_url="base64://<YOUR_NEW_BASE64_ENCODED_JSONNET>"' \      --format yaml

This command updates just the claims mapper for the specified JWT template, leaving the jwks_url (and thus your JWK) untouched. You do not need to re-upload or modify the JWK if it remains valid and unchanged. For more details on JWT tokenizer templates and claims mappers, see the official documentation: [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates).

To change a JWT tokenizer's subject_source from external_id back to the default, you need to update the tokenizer template configuration and remove the subject_source field (or set it to its default behavior). According to the documentation, the default subject for the sub claim in JWTs is the Ory Session's IdentityID. The subject_source option is only needed if you want to use external_id instead of the default. Therefore, to revert to the default, simply remove the subject_source: external_id line from your tokenizer template configuration. After editing, update your configuration using the Ory CLI:

bash ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

This will make the sub claim in JWTs default back to the Ory Session's IdentityID, as described in the documentation: > The sub claim can't be customized and is always set to the Ory Session's IdentityID. [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates) For more on the external_id and subject_source options, see: [External Identifiers](https://www.ory.sh/docs/kratos/manage-identities/external-id)

To remove the subject_source: external_id from your JWT tokenizer template and revert to the default behavior (where sub is set to the Ory Session's IdentityID), you should update your identity configuration by removing the subject_source key from the relevant tokenizer template. You can do this using the Ory CLI with the --remove flag. For example, if your tokenizer template is named jwt_template_1, run:

bash ory patch identity-config --project <project-id> --workspace <workspace-id> \   --remove '/session/whoami/tokenizer/templates/jwt_template_1/subject_source'

This command specifically removes the subject_source field from the jwt_template_1 template, restoring the default behavior for the sub claim in your JWTs [External Identifiers](https://www.ory.sh/docs/kratos/manage-identities/external-id) [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates) [ory patch identity-config](https://www.ory.sh/docs/cli/ory-patch-identity-config).