JWT Signing Keys
Overview
Section titled “Overview”Cyoda Cloud uses asymmetric JWT signing keys to issue and validate access tokens for:
- Technical users (machine-to-machine API clients)
- Other scenarios where your own infrastructure needs to issue JWTs trusted by Cyoda
This guide explains the basic attributes of JWT signing keys in Cyoda and shows how to manage keys rotation.
JWT Signing Key Attributes
Section titled “JWT Signing Key Attributes”Cyoda Cloud represents each signing key-pair with a set of attributes:
- Audience (
audience)- Internal Cyoda concept that describes which consumers use tokens signed with this key. This is not the same as the JWT
audclaim. - Typical values:
human– tokens issued for the regular usersclient– tokens issued for technical users (machine-to-machine access)
- Internal Cyoda concept that describes which consumers use tokens signed with this key. This is not the same as the JWT
- Algorithm (
algorithm)- Asymmetric signing algorithms only (for example,
RS256,RS512,ES256).
- Asymmetric signing algorithms only (for example,
- Validity window (
validFrom,validTo)- Optional
validFromandvalidTodefine when a key becomes valid and when it expires.
- Optional
- Key ID (
keyId/kid)- Each key-pair has a unique
keyId. - This value is included in the JWT header as the
kidfield.
- Each key-pair has a unique
In standard Cyoda Cloud, JWT signing keys for technical users are managed centrally by Cyoda. In custom or on-premise installations, it is also possible to configure an externally injected key-pair file that IAM uses instead of managing keys entirely through the API.
Managing JWT Signing Keys
Section titled “Managing JWT Signing Keys”At a high level, you can do the following operations:
- Create or rotate signing key-pairs for the relevant audience.
- Invalidate the keys with a grace period and then reactivate them.
- Delete the key-pairs completely.
Example: Issue a Key for Technical Users
Section titled “Example: Issue a Key for Technical Users”The following example shows a minimal request for creating a key-pair for technical users:
{ "audience": "client", "algorithm": "RS256"}Your token issuer will receive the corresponding keyId and the public key. It should use the private key to sign access tokens for technical users and include the kid header in each JWT.
Example: Rotate a Key with Grace Period
Section titled “Example: Rotate a Key with Grace Period”To perform a safe rotation with a grace period for technical users:
- Issue a new key-pair for the
clientaudience if you don’t have any. - Mark the old key as invalid but allow a grace period during which previously issued tokens remain valid, for example:
{ "gracePeriodSec": 3600}After the grace period expires, you can remove the old key or leave it invalidated.
End-to-End Example: Technical User Using a Rotated Key
Section titled “End-to-End Example: Technical User Using a Rotated Key”Putting it together for a typical environment:
- Before rotation: Your technical user obtains access tokens signed with the old key (for example,
keyId = "old-key-id"). - Issue new key: You create a new key for
audience = "client"and obtainkeyId = "new-key-id". - Switch issuer: Token issuance logic starts using
"new-key-id"to sign tokens while still accepting tokens with"old-key-id"during the grace period. - Verify access: Both old and new tokens can call Cyoda APIs until the grace period expires.
- Finalize rotation: After the grace period, any remaining tokens signed with
"old-key-id"are rejected, and you can clean up the old key.
Key Rotation Flow
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape rect%2c%23mermaid-0 .image-shape rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-0 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-pointEnd'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 0 L 10 5 L 0 10 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='4.5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-pointStart'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 5 L 10 10 L 10 0 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='11' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-circleEnd'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='-1' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-circleStart'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='12' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-0_flowchart-v2-crossEnd'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='-1' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-0_flowchart-v2-crossStart'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_A_B_0' d='M138%2c86L138%2c90.167C138%2c94.333%2c138%2c102.667%2c138%2c110.333C138%2c118%2c138%2c125%2c138%2c128.5L138%2c132'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_B_C_0' d='M138%2c214L138%2c218.167C138%2c222.333%2c138%2c230.667%2c138%2c238.333C138%2c246%2c138%2c253%2c138%2c256.5L138%2c260'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_C_D_0' d='M138%2c342L138%2c346.167C138%2c350.333%2c138%2c358.667%2c138%2c366.333C138%2c374%2c138%2c381%2c138%2c384.5L138%2c388'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_D_E_0' d='M138%2c470L138%2c474.167C138%2c478.333%2c138%2c486.667%2c138%2c494.333C138%2c502%2c138%2c509%2c138%2c512.5L138%2c516'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg transform='translate(138%2c 47)' id='flowchart-A-0' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eOld active key for %60client%60 audience%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(138%2c 175)' id='flowchart-B-1' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eIssue new key for %60client%60 audience%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(138%2c 303)' id='flowchart-C-2' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eSign new tokens with new %60keyId%60%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(138%2c 431)' id='flowchart-D-3' class='node default'%3e%3crect height='78' width='260' y='-39' x='-130' style='' class='basic label-container'/%3e%3cg transform='translate(-100%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='200'%3e%3cdiv style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eGrace period: accept old and new tokens%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(138%2c 547)' id='flowchart-E-4' class='node default'%3e%3crect height='54' width='183.640625' y='-27' x='-91.8203125' style='' class='basic label-container'/%3e%3cg transform='translate(-61.8203125%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='123.640625'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eInvalidate old key%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Key Rotation Recommendations
Section titled “Key Rotation Recommendations”- Rotate keys regularly to limit the potential security risks.
- Separate user and technical-user token lifecycles in your application.
- In custom installations with externally injected key-pairs, align your rotation schedule with how often you replace the external key-pair files.