Ana içeriğe atla

Endpoint

POST /apiops/projects/{projectName}/jwks/

Authentication

Requires a Personal API Access Token. 
Authorization: Bearer YOUR_TOKEN

Request

Headers

HeaderValueRequired
AuthorizationBearer {token}Yes
Content-Typeapplication/jsonYes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name

Request Body

The request body varies based on the sourceType. All source types require: 
{
  "name": "my-jwk",
  "description": "JWK for API authentication",
  "sourceType": "URL"
}

Source Type: URL

{
  "name": "my-jwk",
  "description": "JWK from URL",
  "sourceType": "URL",
  "url": "https://example.com/.well-known/jwks.json",
  "urlOptionConnectTimeout": 5000,
  "urlOptionReadTimeout": 10000,
  "urlOptionSizeLimit": 1048576,
  "kid": "key-id-1"
}
Note: If the URL returns a JWK Set (array of keys), use kid to specify which key to use from the array.

Source Type: COPY_PASTE

{
  "name": "my-jwk",
  "description": "JWK from JSON string",
  "sourceType": "COPY_PASTE",
  "jwkStr": "{\"kty\":\"RSA\",\"n\":\"...\",\"e\":\"AQAB\"}",
  "kid": "key-id-1"
}
Note: If jwkStr contains a JWK Set (array of keys), use kid to specify which key to use from the array.

Source Type: CERTIFICATE

{
  "name": "my-jwk",
  "description": "JWK from certificate",
  "sourceType": "CERTIFICATE",
  "certificateName": "my-certificate",
  "environmentName": "production",
  "useType": "SIGNATURE",
  "algorithm": "RS256"
}

Source Type: PUBLIC_KEY or PRIVATE_KEY

{
  "name": "my-jwk",
  "description": "JWK from key",
  "sourceType": "PUBLIC_KEY",
  "keyName": "my-key",
  "environmentName": "production",
  "useType": "SIGNATURE",
  "algorithm": "RS256"
}

Source Type: KEYSTORE

{
  "name": "my-jwk",
  "description": "JWK from keystore",
  "sourceType": "KEYSTORE",
  "keyStoreName": "my-keystore",
  "environmentName": "production",
  "aliasName": "my-alias",
  "useType": "SIGNATURE",
  "algorithm": "RS256"
}

Request Body Fields

FieldTypeRequiredDescription
namestringYesJWK name (unique identifier)
descriptionstringNoJWK description
sourceTypestringYesSource type: URL, COPY_PASTE, CERTIFICATE, PUBLIC_KEY, PRIVATE_KEY, KEYSTORE
urlstringConditionalURL to fetch JWK from (required if sourceType is URL)
urlOptionConnectTimeoutintegerNoConnection timeout in milliseconds (default: 5000)
urlOptionReadTimeoutintegerNoRead timeout in milliseconds (default: 10000)
urlOptionSizeLimitintegerNoMaximum response size in bytes (default: 1048576)
jwkStrstringConditionalJWK JSON string (required if sourceType is COPY_PASTE)
certificateNamestringConditionalCertificate name (required if sourceType is CERTIFICATE)
keyNamestringConditionalKey name (required if sourceType is PUBLIC_KEY or PRIVATE_KEY)
keyStoreNamestringConditionalKeystore name (required if sourceType is KEYSTORE)
kidstringConditionalKey ID (kid) - Required for URL and COPY_PASTE source types when the source contains multiple keys (JWK Set)
environmentNamestringConditionalEnvironment name (required for CERTIFICATE, KEY, KEYSTORE source types)
aliasNamestringConditionalAlias name in keystore (required if sourceType is KEYSTORE)
useTypestringConditionalUse type: SIGNATURE, ENCRYPTION (required for CERTIFICATE, KEY, KEYSTORE source types)
algorithmstringConditionalAlgorithm to use with the key (required for CERTIFICATE, KEY, KEYSTORE source types). See Notes section for valid algorithm values based on key type and useType.

Notes

  • name must be unique within the project
  • For GENERATE source type, use the Generate JWK endpoint
  • Certificate, Key, and Keystore must exist and be accessible in the specified environment
  • JWK is automatically deployed to all environments after creation
  • algorithm: This field specifies the cryptographic algorithm to use with the key. The value must match the key type and useType:
    • RSA with SIGNATURE: RS256, RS384, RS512, PS256, PS384, PS512
    • RSA with ENCRYPTION: RSA1_5 (deprecated), RSA-OAEP (deprecated), RSA-OAEP-256, RSA-OAEP-384, RSA-OAEP-512
    • EC with SIGNATURE: ES256, ES384, ES512, ES256K
    • EC with ENCRYPTION: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-1PU, ECDH-1PU+A128KW, ECDH-1PU+A192KW, ECDH-1PU+A256KW
    • OCT with SIGNATURE: HS256, HS384, HS512
    • OCT with ENCRYPTION: A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, DIR, PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW
    • OKP with SIGNATURE: EdDSA
    • OKP with ENCRYPTION: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-1PU, ECDH-1PU+A128KW, ECDH-1PU+A192KW, ECDH-1PU+A256KW
  • Important: algorithm must be a valid algorithm name, not a key type (e.g., use RS256 not RSA)

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "message": "Deployment completed successfully",
    "environmentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployed successfully"
      },
      {
        "environmentName": "staging",
        "success": true,
        "message": "Deployed successfully"
      }
    ]
  }
}

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "JWK name can not be empty!"
}
or 
{
  "error": "bad_request",
  "error_description": "JWK (name: my-jwk) is already exist! Try update operation if want to change its value."
}
or 
{
  "error": "bad_request",
  "error_description": "Source type is required!"
}
or 
{
  "error": "bad_request",
  "error_description": "URL is required for URL source type!"
}
or 
{
  "error": "bad_request",
  "error_description": "Certificate (name: my-certificate) is not found!"
}

cURL Example

Example 1: Create JWK from URL

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-jwk",
    "description": "JWK from URL",
    "sourceType": "URL",
    "url": "https://example.com/.well-known/jwks.json"
  }'

Example 2: Create JWK from JSON String

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-jwk",
    "description": "JWK from clipboard",
    "sourceType": "COPY_PASTE",
    "jwkStr": "{\"kty\":\"RSA\",\"n\":\"...\",\"e\":\"AQAB\"}"
  }'

Example 3: Create JWK from Certificate

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-jwk",
    "description": "JWK from certificate",
    "sourceType": "CERTIFICATE",
    "certificateName": "my-certificate",
    "environmentName": "production",
    "useType": "SIGNATURE",
    "algorithm": "RS256"
  }'

Notes and Warnings

  • JWK Name:
    • Must be unique within the project
    • Cannot be changed after creation
  • Source Types:
    • URL: Fetches JWK from a remote URL
    • COPY_PASTE: Creates JWK from JSON string
    • CERTIFICATE: Extracts JWK from existing certificate
    • PUBLIC_KEY/PRIVATE_KEY: Extracts JWK from existing key
    • KEYSTORE: Extracts JWK from keystore alias
    • GENERATE: Use Generate JWK endpoint instead
  • Automatic Deployment:
    • JWK is automatically deployed after creation
    • Deployment results are returned in the response

Permissions

User must have SECRETS + MANAGE permission in the project. For deployment operations (when deploying JWKs to environments), user must also have SECRETS + DEPLOY_UNDEPLOY permission.