THIS DOCUMENTATION HAS MOVED TO ory.sh/docs/hydra
JSON Web Keys (JWK)
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key and is
specified at IETF RFC7517. If you've heard of PEM files...
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg
MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc
9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+
A .... MANY LINES LIKE THAT ....
X0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/Wc
blK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WD
H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0
GEs=
-----END ENCRYPTED PRIVATE KEY-----
... JWKs are the same, but formatted using JSON:
{
"keys":
[
{"kty":"oct",
"alg":"A128KW",
"k":"GawgguFyGrWKav7AX4VKUg"},
{"kty":"oct",
"k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75
aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
"kid":"HMAC key used in JWS spec Appendix A.1 example"}
]
}
Hydra offers an API for generating and managing JWKs, the JSON Web Keys API.
When using persistent storage backends, the keys are encrypted at rest using AES256-GCM and the system secret.
The system secret is generated by default and overridden by the environment variable SYSTEM_SECRET
.
JWKs are well supported amongst all languages. This endpoint helps you managing
certificates, private, public and symmetric keys. It is important to never transport keys over insecure channels such as http.
The JWK REST API Documentation will give you details on the
various endpoints.
Auto-generated JWKs
Hydra generates a couple of JSON Web Keys in order to operate correctly:
http://localhost:4444/keys/hydra.openid.id-token
: A RSA public/private key pair for signing and validating OpenID Connect ID Tokens.http://localhost:4444/keys/hydra.openid.id-token/public
: The public key which you can use to validate ID Tokens.http://localhost:4444/keys/hydra.openid.id-token/private
: The private key used for signing ID Tokens.
http://localhost:4444/keys/https-tls
: A RSA public/private key pair and a certificate for signing HTTP over TLS.