Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

We should use the same keys to sign access tokens and custom JWTs

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-12-06

Context and Problem Statement#

Since our access tokens will be standard JWTs and we want to enable their verification without our SDK, we will expose the public keys using a jwks endpoint. These can be the same as the keys we use to sign other (custom) JWTs.

Considered Options#

  • Separate keysets exposed under separate endpoint
  • Separate keysets exposed under a single endpoint
  • Same keyset

Decision Outcome#

We should use the same keyset to sign access tokens and custom JWTs:

  • Having separate endpoints could be confusing to users
  • Having separate settings for the two keysets could be confusing if we expose them under the same endpoint
  • Exposing the union of the two keysets under the same endpoint could cause (minor) problems when caching keys for verification
  • Check this decision for discussion on static and dynamic keys.
Which frontend SDK do you use?
supertokens-web-js / mobile
supertokens-auth-react