Characters present in Task Token Generated by Step Function

Question

I am using the callback feature of Step Function where I get a Task Token generated internally by step function in my context object.

The link I referred to:- https://docs.aws.amazon.com/step-functions/latest/dg/connect-to-resource.html#connect-wait-example

Here in example they have given the example of token as :- "Token": "h7XRiCdLtd/83p1E0dMccoxlzFhglsdkzpK9mBVKZsp7d9yrT1W"

I was interested in knowing which all characters does this token contain? Like here I can see "slash" as well. There is no documentation regarding this as well.

Answer 1

TL;DR Most likely only the characters supported by base64

---

I don't believe there is any official AWS documentation explicitly stating the allowed character set in the TaskToken, only that the maximum length is 1024.

I poked around within my own account and noticed that the length of the $$.TaskToken is dependent on the name given to the step-function execution (at least for the eventbridge integration).

The documentation does however state the following:

You must pass task tokens from principals within the same AWS account. The tokens won't work if you send them from principals in a different AWS account.

https://docs.aws.amazon.com/step-functions/latest/dg/connect-to-resource.html#connect-wait-token

My assumption based on the previous two observations is that the token is a base64 encoded HMAC digest similar to the AWS Signature V4 signing process

Confirming via an AWS Support case asking if they can provide you with this info is advised if you're needing it for production workloads though.