Search the Knowledgebase

Search

Keys

March 18, 2020

Axioms uses cryptographic keys to create a digitally signed token as well as for token and data encryption. These keys are unique for each tenant and are stored in JSON Web Keys (JWK) format in tenant database.

Key Types

As required by RFC7518 for JSON Web Algorithms (JWA), Axioms support three key types,

Kty ParamKey TypeClassificationSignatureEncryptionMACImplementation
Requirements
RSARSAPublic/private
keypair
YesYesNoRecommended+
ECElliptic
Curve
Public/private
keypair
YesYesNoRequired
octOctet
sequence
Secret or
shared key
NoYesYesRequired

Values for alg

Possible alg (algorithm) header parameter values for JWS/JWT,

Key TypeValues for
alg param
Algorithm
Family
RSARS256, RS384,RS512RSA
ECES256, ES384, ES512ECDSA
octHS256, HS384, HS512HMAC

Default alg

Default alg (algorithm) header parameter values for JWS/JWT,

Default algAlgorithmImplementation
Requirements
HS256HMAC using SHA-256Required
RS256RSASSA-PKCS1-v1_5
using SHA-256
Recommended
ES256ECDSA using P-256
and SHA-256
Recommended+

Use cases

  • JSON Web Signature (Signed JWT Tokens)
  • JSON Web Encryption (Signed and Encrypted JWT Tokens)

Recommendations

  • For third-party clients, you should use RSA/EC to issue signed JWT token.
  • Third-party clients can verify the signature using public keys JWKS endpoint.
  • For first-party clients, you can also issue JWT tokens signed by a secret key.
  • For first-party clients, you can also issue Signed and Encrypted JWT Tokens.

Create new key

When you create a new tenant, Axioms platform will automatically create a new set of default keys of type RSAEC, and oct. So you typically don’t need to create a new key. That said, depending on your need you can manually create new keys and set them as default.

🔵 You can have as many crypto keys you want, but for each key type there can be only one default key. Default keys are rotated periodically.

🔴 If needed you can ⚡deactivate⚡ an existing key through UI. Before you deactivate an existing key make sure there is at least one active and default key of given key type.

Create a new key

JWKS

JSON Web Key Set (JWKS) is a set of keys containing the public keys of key type RSA or EC that can be used to verify the signed JWT tokens. JWKS are available at,

https://{{tenant.domain}}/oauth2/.well-known/jwks.json
Did you find this article helpful?
2 out of 2 found this helpful
Still have questions? Open a Support Ticket

Related Stories

Arrow-up