Skip to main content
Version: v1.7

JSON Web Key Sets

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key and is specified at IETF RFC7517. If you've heard of PEM files...

-----BEGIN ENCRYPTED PRIVATE KEY-----id: MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgMBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+A .... MANY LINES LIKE THAT ....X0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/WcblK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WDH0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0GEs=-----END ENCRYPTED PRIVATE KEY-----

... JWKs are the same, but formatted using JSON:

{  "keys":  [   {"kty":"oct",    "alg":"A128KW",    "k":"GawgguFyGrWKav7AX4VKUg"},
   {"kty":"oct",    "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75  aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",    "kid":"HMAC key used in JWS spec Appendix A.1 example"}  ]}

ORY Hydra offers an API for generating and managing JWKs, the JSON Web Keys API. When using persistent storage backends, the keys are encrypted at rest using AES256-GCM and the system secret. The system secret is generated by default and overridden by the environment variable SECRETS_SYSTEM.

JWKs are well supported amongst all languages. This endpoint helps you managing certificates, private, public and symmetric keys. It is important to never transport keys over insecure channels such as http.

The REST API Documentation will give you details on the various endpoints.

Auto-generated JWKs#

Hydra generates a couple of JSON Web Keys in order to operate correctly:

  • http://localhost:4445/keys/hydra.openid.id-token: A RSA public/private key pair for signing and validating OpenID Connect ID Tokens.
  • http://localhost:4445/keys/https-tls: A RSA public/private key pair and a certificate for signing HTTP over TLS.