Today Harper generates and manages its own JWT signing key. Operators who want to integrate with an existing identity provider or control key rotation need to supply their own keys.
Ask
- Accept a user-supplied RSA/EC private key (and corresponding public key) via Ops API or config.
- Use the supplied key pair to sign and verify JWTs instead of Harper's auto-generated key.
- Support key rotation with a grace period for tokens signed by the previous key.
Design considerations (Not Ready — needs decisions)
- Supported algorithms? (RS256, ES256, …)
- Storage:
~/hdb/keys/ alongside TLS certs?
- Ops API: new
upload_jwt_key operation, or extend add_certificate?
- Grace period for old tokens — operator-configurable?
🤖 Filed by Claude on behalf of Kris.
Today Harper generates and manages its own JWT signing key. Operators who want to integrate with an existing identity provider or control key rotation need to supply their own keys.
Ask
Design considerations (Not Ready — needs decisions)
~/hdb/keys/alongside TLS certs?upload_jwt_keyoperation, or extendadd_certificate?🤖 Filed by Claude on behalf of Kris.