JWT validation methods

On the JSON web token (JWT) validation page, you can specify how to validate incoming JWTs. You may do it either by uploading both a public primary and backup RSA key manually, or by loading them dynamically from a JSON web key set (JWKS) file.

Manual RSA key upload
This validation method requires you to upload a primary RSA public key to verify incoming requests and a backup RSA public key for use during key rotations. The RSA keys that you upload typically have an expiry date, which means you will need to upload new RSA keys periodically.
Dynamic JSON web key set upload
As an alternative to the manual method, you can opt for the JWKS solution that uses certificate chains tied to hostnames that form JWKS URIs. JWKS URIs are secure locations that store public JSON web keys in an array of JSON objects. The certificate chains usually have a longer lifespan than RSA keys and require less frequent updates to the JWT validation page. JWKS also helps you more seamlessly rotate keys to reduce interruptions to clients consuming a JWT.
Note: If you choose the JWKS method, ensure that the public keys are located at a URL accessible from the Internet. This URL is where Akamai edge servers request a JWKS over the Transport Layer Security (TLS) protocol. If you are relying on an identity cloud provider, we strongly advise that the URL for the JWKS contains your own public domain name rather than the identity cloud provider domain name.

As an alternative to the uploading of the RSA public key to Akamai, you can opt to use certificate chains tied to hostnames found in JWKS URIs. JWKS URIs are secure locations that store public JSON web keys in an array of JSON objects. The certificate chains usually have a longer lifespan than RSA keys, and require less frequent updates to the JWT validation page. JWKS also helps you more seamlessly rotate keys to reduce interruptions to clients consuming a JWT.

A full valid JWKS URI could look like this: https://bookstore.api.com/.well-known/jwks.json

For additional details on the JWKS specification, see RFC 7517.