JWT signature

The Login product supports two JWT signature generation algorithms:

  • HS256 is an algorithm that uses only one key. This key is shared between both parties — the Xsolla Login server and your application — and must be kept secret. The same key is used both to create the signature of the token and to validate it.
  • RS256 is an algorithm that uses a pair of keys: one public key and one private key, which must be kept secret. The private key is only stored on the Xsolla Login server and is used to sign tokens. The public key (JSON Web Key) is issued to your application for token validation.

Depending on the chosen signature generation algorithm, your application will need to validate tokens differently.

When creating a Login project, the HS256 algorithm is selected by default and a secret key for signing and validating tokens is automatically generated. Obtain the key as described in the How to get the JWT validation key section. To change the signature generation algorithm and/or generate a new token validation key, as well as change the token validity period, refer to the How to change JWT signature settings section.

How to get the JWT validation key

  1. Open your project in Publisher Account and go to the Login section.
  2. Click Configure in the pane of a Login project.
  3. Go to the Security block and select the JWT signature section.

  1. Click the copy icon.

Use the copied key to validate the JWTs in your applications associated with this Login project.

How to change JWT signature settings

You can change the JWT signature generation algorithm, generate a new token validation key, and change the token validity period.

  1. Open your project in Publisher Account and go to the Login section.
  2. Click Configure in the pane of a Login project.
  3. Go to the Security block and select the JWT signature section.
  4. If necessary, change the signature generation algorithm: HS256 or RS256.
  5. To reset the current key, click:
    • for the HS256 algorithm — Reset secret key;
    • for the RS256 algorithm — Reset JSON Web Key.

  1. If you have changed the signature generation algorithm or reset the current key, the Login product will generate a new key (key pair). In this case:
    1. Copy the new token validation key by clicking the copy icon.
    2. Update the token validation key in all your applications associated with this Login project.
  2. To change the period of the tokens’ validity, specify the desired value in seconds in the Token lifetime field.
  3. Click Save changes.

  1. If your actions led to a change in the current token validation key (algorithm change or reset of the current key), the Login product will ask for confirmation to apply the new key.
Notice
Once the confirmation is received, all new JWTs will be signed with the new key, and the previous key will no longer be available.
  1. In the modal window, check the I understand box and click Yes, apply.
Was this article helpful?
Thank you!
Is there anything we can improve? Message
We’re sorry to hear that
Please explain why this article wasn’t helpful to you. Message
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.
Last updated: September 18, 2024

Found a typo or other text error? Select the text and press Ctrl+Enter.

Report a problem
We always review our content. Your feedback helps us improve it.
Provide an email so we can follow up
Thank you for your feedback!