Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Enable using static and dynamic keys for jwt signing

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-12-06

Context and Problem Statement#

In some cases people may want to issue JWTs that are valid longer than the normal access token signing key rotation.

Considered Options#

  • Enable using both static and dynamic keys for jwt signing
  • Use separate non-expiring keys for jwts

Decision Outcome#

We enable using both static and dynamic keys to sign JWTs:

  • Since this decision we want to only expose a single set of keys for jwts and access tokens
  • We can add both static and dynamic (or refreshing/expiring) keys to this keyset
  • We could use either keyset for both access tokens and JWTs, replacing the access_token_signing_key_dynamic core config option
  • By default, access tokens will be signed using dynamic keys. This can be changed through a setting in the BE SDK. (this replaces the core config option). The useDynamicAccessTokenSigningKey: boolean property will be added to the Session recipe configuration.
  • By default, jwts will be signed using the static key. This can be controlled through a parameter passed to the createJWT function called useStaticSigningKey.
  • We should rename access_token_signing_key_update_interval to access_token_dynamic_signing_key_update_interval in the core config.