❗️

It is highly unusual for you to share your private JWKS, even for debugging. Moneyhub should NEVER ask you for your private key.

Your private key is the primary method of identifying yourself to us. If it is compromised, we would likely struggle to tell a malicious actor apart from genuine requests.

Sharing your Public JWKS through JWKS Endpoints

A key component of using JWKs and JWTs is serving a JWKS endpoint. This is a publicly accessible URL that provides a JSON document containing all of the public keys an issuer uses to sign its JWTs. For customers, this endpoint is essential for them to verify the authenticity of the tokens you issue.

Key Principles

1. Publicly Accessible URL: The endpoint must be hosted on a web server and be publicly reachable. A typical and recommended convention is to place it at a well-known URL, such as https://[your-domain]/.well-known/jwks.json.
2. JSON Format: The endpoint's response must be a JSON object with a single top-level key, keys, which is an array of JWK objects.
3. Public Keys Only: It's _absolutely _critical that the endpoint only exposes public keys. The corresponding private keys used for signing must remain secure and private on your server. Exposing a private key would allow anyone to forge tokens on your behalf, completely compromising the security of your system.
4. Security: The endpoint should be served over HTTPS to ensure the integrity and confidentiality of the key information during transit.
5. Key Rotation: The JWKS endpoint simplifies key rotation. When you need to generate a new key pair for security reasons, you add the new public key to your JWKS and update the kid in your JWTs to use the new key. Clients can then retrieve the updated JWKS and continue to validate tokens without any manual configuration changes.