important
This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
supertokens-auth-reactWe should use the same keys to sign access tokens and custom JWTs
Status
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- Status:
- proposed
- Deciders:
- rishabhpoddar, porcellus
- Proposed by:
- porcellus
- Created:
- 2022-12-06
Context and Problem Statement#
Since our access tokens will be standard JWTs and we want to enable their verification without our SDK, we will expose the public keys using a jwks endpoint. These can be the same as the keys we use to sign other (custom) JWTs.
Considered Options#
- Separate keysets exposed under separate endpoint
- Separate keysets exposed under a single endpoint
- Same keyset
Decision Outcome#
We should use the same keyset to sign access tokens and custom JWTs:
- Having separate endpoints could be confusing to users
- Having separate settings for the two keysets could be confusing if we expose them under the same endpoint
- Exposing the union of the two keysets under the same endpoint could cause (minor) problems when caching keys for verification
- Check this decision for discussion on static and dynamic keys.