JWT public and private keys
Userfront uses the
RS256 algorithm to sign JWT access tokens.
RS256 algorithm has two keys: a public key and a private key.
The public key is used to verify access token authenticity, and the private key is used to create access tokens.
JWT public key
You can use your JWT public key to verify the JWT access tokens granted to your users when they log into your application.
Once you have verified an access token, you can trust that it was created by Userfront and that it has not been altered by a third party.
Your JWT public key is available in the Settings tab of your Userfront dashboard.
Your JWT public key is truly public. It can be shared anywhere without reducing security.
Learn how to verify an access token here.
Plain text JWT public key
The JWT public key is denoted with the text
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
These lines are part of the public key and should be included whenever you use the public key.
The public key must be used exactly as displayed without changes: line breaks are important, so you cannot shorten the key to one line. You also need to ensure that there are no spaces before or after the public key in your system.
You have a different JWT public key in live mode than in test mode.
If you want to add the JWT public key as an environment variable for your system, it is often easier to use a Base64 encoded version.
Userfront provides this version alongside the plain text version as a convenience.
The Base64 encoded version is the same public key, and you can Base64 decode this version to get the plain text version.
JWT private key
Userfront uses a private key specific to your workspace to create JWT access tokens for your users.
This private key is not available in your dashboard: Userfront encrypts each private key such that it is only accessible during automated token creation.
RS256 algorithm uses SHA-256 hashing along with large-modulus RSA signing as recommended by the NSA for protecting sensitive information.