Skip to main content

JSON Web Key Sets

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key and is specified at IETF RFC7517. If you've heard of PEM files...

-----BEGIN ENCRYPTED PRIVATE KEY-----
id: MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg
MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc
9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+
A .... MANY LINES LIKE THAT ....
X0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/Wc
blK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WD
H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0
GEs=
-----END ENCRYPTED PRIVATE KEY-----

... JWKs are the same, but formatted using JSON:

{
"keys":
[
{"kty":"oct",
"alg":"A128KW",
"k":"GawgguFyGrWKav7AX4VKUg"},

{"kty":"oct",
"k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75
aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
"kid":"HMAC key used in JWS spec Appendix A.1 example"}
]
}

ORY Hydra offers an API for generating and managing JWKs, the JSON Web Keys API. When using persistent storage backends, the keys are encrypted at rest using AES256-GCM and the system secret. The system secret is generated by default and overridden by the environment variable SECRETS_SYSTEM.

JWKs are well supported amongst all languages. This endpoint helps you managing certificates, private, public and symmetric keys. It is important to never transport keys over insecure channels such as http.

The REST API Documentation will give you details on the various endpoints.

ORY Hydra does not support signing JWTs using symmetric keys. Doing so will make anyone, having the secret, able to forge the tokens.

Auto-generated JWKs​

Hydra generates a couple of JSON Web Keys in order to operate correctly:

  • http://localhost:4445/keys/hydra.openid.id-token: A RSA public/private key pair for signing and validating OpenID Connect ID Tokens.
  • http://localhost:4445/keys/https-tls: A RSA public/private key pair and a certificate for signing HTTP over TLS.