Header: Authorization: Bearer <JWT>
Authorization: Bearer <JWT>
Algorithms allowed: RS256, ES256
Required claim: sub (used as user id/tenant key)
sub
Checks: iat must not be in the future; expired tokens yield WWW-Authenticate: Bearer error="expired_token"
iat
WWW-Authenticate: Bearer error="expired_token"
Public key source: JWT_PROVIDER_PUBLIC_KEY must be Base64‑encoded DER (SPKI)
JWT_PROVIDER_PUBLIC_KEY
Note: Swagger labels the auth scheme as oneclick-jwt, but requests must use the standard Authorization header.
oneclick-jwt
Authorization
If ENABLE_DEBUG_SIGN_ENDPOINT=true, the server exposes:
ENABLE_DEBUG_SIGN_ENDPOINT=true
POST /auth/debug/keypair → generate RS256/ES256 keys (DER), optionally persist to .env
/auth/debug/keypair
.env
POST /auth/debug/sign → sign a short‑lived JWT for testing
/auth/debug/sign
Never enable these in production.
Always run behind HTTPS in production
Protect private keys and .env files
Rotate keys periodically; prefer short token TTLs for automation
Storage is scoped by sub → each user sees only their own DIDs and VCs
Confirmation of flows is restricted to the user that initiated them
Last updated 2 months ago
