Skip to content

Allow users to supply their own JWT signing keys (BYOK for JWT auth) #673

Description

@kriszyp

Today Harper generates and manages its own JWT signing key. Operators who want to integrate with an existing identity provider or control key rotation need to supply their own keys.

Ask

  • Accept a user-supplied RSA/EC private key (and corresponding public key) via Ops API or config.
  • Use the supplied key pair to sign and verify JWTs instead of Harper's auto-generated key.
  • Support key rotation with a grace period for tokens signed by the previous key.

Design considerations (Not Ready — needs decisions)

  • Supported algorithms? (RS256, ES256, …)
  • Storage: ~/hdb/keys/ alongside TLS certs?
  • Ops API: new upload_jwt_key operation, or extend add_certificate?
  • Grace period for old tokens — operator-configurable?

🤖 Filed by Claude on behalf of Kris.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:authAuthentication, authorization, JWT, user managementenhancementNew feature or requestfrom-jiraMigrated or originated from a Jira ticket

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions