JWT public and private keys

Userfront uses the RS256 algorithm to sign JWT access tokens.

The RS256 algorithm has two keys: a public key and a private key.

The public key is used to verify access token authenticity, and the private key is used to create access tokens.

#JWT public key

You can use your JWT public key to verify the JWT access tokens granted to your users when they log into your application.

Once you have verified an access token, you can trust that it was created by Userfront and that it has not been altered by a third party.

Your JWT public key is available in the Settings tab of your Userfront dashboard.

Your JWT public key is truly public. It can be shared anywhere without reducing security.

Learn how to verify an access token here.

#Plain text JWT public key

The JWT public key is denoted with the text



These lines are part of the public key and should be included whenever you use the public key.

The public key must be used exactly as displayed without changes: line breaks are important, so you cannot shorten the key to one line. You also need to ensure that there are no spaces before or after the public key in your system.

You have a different JWT public key in live mode than in test mode.

#Base64 encoded

If you want to add the JWT public key as an environment variable for your system, it is often easier to use a Base64 encoded version.

Userfront provides this version alongside the plain text version as a convenience.

The Base64 encoded version is the same public key, and you can Base64 decode this version to get the plain text version.

#JWT private key

Userfront uses a private key specific to your workspace to create JWT access tokens for your users.

This private key is not available in your dashboard: Userfront encrypts each private key such that it is only accessible during automated token creation.

#RSA algorithm

The RS256 algorithm uses SHA-256 hashing along with large-modulus RSA signing as recommended by the NSA for protecting sensitive information.