JWT validation methods
On the JSON web token (JWT) validation page, you can specify how to validate incoming JWTs. You may do it either by uploading both a public primary and backup RSA key manually, or by loading them dynamically from a JSON web key set (JWKS) file.
- Manual RSA key upload
- This validation method requires you to upload a primary RSA public key to verify incoming requests and a backup RSA public key for use during key rotations. The RSA keys that you upload typically have an expiry date, which means you will need to upload new RSA keys periodically.
- Dynamic JSON web key set upload
- As an alternative to the manual method, you can opt for the JWKS solution
that uses certificate chains tied to hostnames that form JWKS URIs. JWKS URIs are secure
locations that store public JSON web keys in an array of JSON objects. The certificate
chains usually have a longer lifespan than RSA keys and require less frequent updates to
the JWT validation page. JWKS also helps you more seamlessly rotate keys to reduce
interruptions to clients consuming a JWT.Note: If you choose the JWKS method, ensure that the public keys are located at the following path: https://your_domain/.well-known/jwks.json. This is the default path from where edge servers request a JWKS over the Transport Layer Security (TLS) protocol. The .well-known prefix provides a central location for web resources of a specific type and helps avoid collisions between resources. For more details on the .well-known prefix, see RFC 5785.
A full valid JWKS URI could look like this: https://bookstore.api.com/.well-known/jwks.json
For additional details on the JWKS specification, see RFC 7517.