Client Key
A Client Key is a cryptographic key pair used for signing tokens. The public key is exposed via JWKS for verification; the private key is never exposed.
Schema
interface ClientKey {
kid: string; // Key ID used in JWT headers
credential_id: string; // Client ID (cid...)
jwk: object; // Public JWK
public_key: string; // PEM public key
}Properties
| Property | Type | Description |
|---|---|---|
kid | string | Key ID (kid in JWT header) |
credential_id | string | Client this key belongs to |
jwk | object | Public JWK representation |
public_key | string | PEM public key |
JWKS Representation
Public keys exposed at /.well-known/jwks.json:
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "key_2kHfPZcN9xW4mE8RtY7vB",
"alg": "RS256",
"n": "0vx7agoebG...",
"e": "AQAB"
}
]
}Key Rotation
Best practices:
- Rotate keys periodically
- Keep 2-4 keys active during transition
- Old keys remain in JWKS for token verification
Example
{
"kid": "key_2kHfPZcN9xW4mE8RtY7vB",
"credential_id": "cid_1jGePYbM8wV3lD7QsX6uA",
"jwk": { "kty": "RSA", "kid": "key_..." },
"public_key": "-----BEGIN PUBLIC KEY-----..."
}Related
- Client - Client configuration
- Clients - Client management
- Backend Integration - Token verification