JWT signature
The Login product supports two JWT signature generation algorithms:
- HS256 is an algorithm that uses only one key. This key is shared between both parties — the Xsolla Login server and your application — and must be kept secret. The same key is used both to create the signature of the token and to validate it.
- RS256 is an algorithm that uses a pair of keys: one public key and one private key, which must be kept secret. The private key is only stored on the Xsolla Login server and is used to sign tokens. The public key (JSON Web Key) is issued to your application for token validation.
Depending on the chosen signature generation algorithm, your application will need to validate tokens differently.
When creating a Login project, the HS256 algorithm is selected by default and a secret key for signing and validating tokens is automatically generated. Obtain the key as described in the How to get the JWT validation key section. To change the signature generation algorithm and/or generate a new token validation key, as well as change the token validity period, refer to the How to change JWT signature settings section.
How to get the JWT validation key
- Open your project in Publisher Account and go to the Login section.
- Click Configure in the pane of a Login project.
- Go to the Security block and select the JWT signature section.
- Click the copy icon.
Use the copied key to validate the JWTs in your applications associated with this Login project.
How to change JWT signature settings
You can change the JWT signature generation algorithm, generate a new token validation key, and change the token validity period.
- Open your project in Publisher Account and go to the Login section.
- Click Configure in the pane of a Login project.
- Go to the Security block and select the JWT signature section.
- If necessary, change the signature generation algorithm: HS256 or RS256.
- To reset the current key, click:
- for the HS256 algorithm — Reset secret key;
- for the RS256 algorithm — Reset JSON Web Key.
- If you have changed the signature generation algorithm or reset the current key, the Login product will generate a new key (key pair). In this case:
- Copy the new token validation key by clicking the copy icon.
- Update the token validation key in all your applications associated with this Login project.
- To change the period of the tokens’ validity, specify the desired value in seconds in the Token lifetime field.
- Click Save changes.
- If your actions led to a change in the current token validation key (algorithm change or reset of the current key), the Login product will ask for confirmation to apply the new key.
- In the modal window, check the I understand box and click Yes, apply.
Found a typo or other text error? Select the text and press Ctrl+Enter.