Ana içeriğe atla

Endpoint

POST /apiops/projects/{projectName}/jwks/generate

Authentication

Requires a Personal API Access Token. 
Authorization: Bearer YOUR_TOKEN

Request

Headers

HeaderValueRequired
AuthorizationBearer {token}Yes
Content-Typeapplication/jsonYes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name

Request Body

The request body structure varies based on the JWK type. All types require name and type fields.

Type: RSA

{
  "name": "generated-rsa-jwk",
  "description": "Auto-generated RSA JWK",
  "type": "RSA",
  "kid": "rsa-key-1",
  "rsa": {
    "keySize": 2048,
    "keyUseType": "SIGNATURE",
    "algorithm": "RSA256",
    "keyIdType": "TIMESTAMP",
    "notBeforeTime": "2024-01-01T00:00:00Z",
    "expirationTime": "2025-01-01T00:00:00Z"
  }
}
RSA Parameters:
  • keySize (integer): Key size in bits. Common values: 2048, 3072, 4096
    • 2048: Standard size, good balance of security and performance
    • 3072: Higher security, recommended for long-term use
    • 4096: Maximum security, slower operations
  • keyUseType (string, optional): Key usage type. Valid values: SIGNATURE, ENCRYPTION
    • SIGNATURE: Key is used for signing (default)
    • ENCRYPTION: Key is used for encryption
  • algorithm (string, optional): Algorithm to use with this key. Valid values:
    • For SIGNATURE: RSA256, RSA384, RSA512, PS256, PS384, PS512
    • For ENCRYPTION: RSA1_5 (deprecated), RSA_OAEP (deprecated), RSA_OAEP_256, RSA_OAEP_384, RSA_OAEP_512
  • keyIdType (string, optional): Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
  • notBeforeTime (string, optional): ISO 8601 date/time when the key becomes valid. If not provided, current time is used
  • expirationTime (string, optional): ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Type: EC (Elliptic Curve)

{
  "name": "generated-ec-jwk",
  "description": "Auto-generated EC JWK",
  "type": "EC",
  "kid": "ec-key-1",
  "ec": {
    "curveType": "P256",
    "keyUseType": "SIGNATURE",
    "algorithm": "ES256",
    "keyIdType": "TIMESTAMP",
    "notBeforeTime": "2024-01-01T00:00:00Z",
    "expirationTime": "2025-01-01T00:00:00Z"
  }
}
EC Parameters:
  • curveType (string): Curve name. Valid values: P256, P384, P521, SECP256K1
    • P256: 256-bit curve (NIST P-256, secp256r1)
    • P384: 384-bit curve (NIST P-384, secp384r1)
    • P521: 521-bit curve (NIST P-521, secp521r1)
    • SECP256K1: secp256k1 curve (used in Bitcoin)
  • keyUseType (string, optional): Key usage type. Valid values: SIGNATURE, ENCRYPTION
    • SIGNATURE: Key is used for signing (default)
    • ENCRYPTION: Key is used for encryption
  • algorithm (string, optional): Algorithm to use with this key. Valid values:
    • For SIGNATURE: ES256, ES384, ES512, ES256K
    • For ENCRYPTION: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, ECDH_1PU, ECDH_1PU_A128KW, ECDH_1PU_A192KW, ECDH_1PU_A256KW
  • keyIdType (string, optional): Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
  • notBeforeTime (string, optional): ISO 8601 date/time when the key becomes valid. If not provided, current time is used
  • expirationTime (string, optional): ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Type: OCT (Octet Sequence - Symmetric Key)

{
  "name": "generated-oct-jwk",
  "description": "Auto-generated symmetric key",
  "type": "OCT",
  "kid": "oct-key-1",
  "oct": {
    "keySize": 256,
    "keyUseType": "SIGNATURE",
    "algorithm": "HS256",
    "keyIdType": "TIMESTAMP",
    "passwordSaltLength": 8,
    "passwordIterationCount": 1000,
    "notBeforeTime": "2024-01-01T00:00:00Z",
    "expirationTime": "2025-01-01T00:00:00Z"
  }
}
OCT Parameters:
  • keySize (integer): Key size in bits. Common values: 128, 192, 256
    • 128: 128-bit key (16 bytes)
    • 192: 192-bit key (24 bytes)
    • 256: 256-bit key (32 bytes) - Recommended
  • keyUseType (string, optional): Key usage type. Valid values: SIGNATURE, ENCRYPTION
    • SIGNATURE: Key is used for signing (default)
    • ENCRYPTION: Key is used for encryption
  • algorithm (string, optional): Algorithm to use with this key. Valid values:
    • For SIGNATURE: HS256, HS384, HS512
    • For ENCRYPTION: A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, DIR, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW
  • keyIdType (string, optional): Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
  • passwordSaltLength (integer, optional): Salt length for password-based encryption. Default: 8
  • passwordIterationCount (integer, optional): Iteration count for password-based encryption. Default: 1000
  • notBeforeTime (string, optional): ISO 8601 date/time when the key becomes valid. If not provided, current time is used
  • expirationTime (string, optional): ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Type: OKP (Octet Key Pair)

{
  "name": "generated-okp-jwk",
  "description": "Auto-generated OKP JWK",
  "type": "OKP",
  "kid": "okp-key-1",
  "okp": {
    "curveType": "ED25519",
    "keyUseType": "SIGNATURE",
    "algorithm": "EdDSA",
    "keyIdType": "TIMESTAMP",
    "notBeforeTime": "2024-01-01T00:00:00Z",
    "expirationTime": "2025-01-01T00:00:00Z"
  }
}
OKP Parameters:
  • curveType (string): Curve name. Valid values: ED25519, X25519
    • ED25519: Edwards Curve for signing (Ed25519)
    • X25519: Montgomery Curve for key exchange (X25519)
    • Note: Ed448 and X448 are currently unsupported
  • keyUseType (string, optional): Key usage type. Valid values: SIGNATURE, ENCRYPTION
    • SIGNATURE: Key is used for signing (default)
    • ENCRYPTION: Key is used for encryption
  • algorithm (string, optional): Algorithm to use with this key. Valid values:
    • For SIGNATURE: EdDSA
    • For ENCRYPTION: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, ECDH_1PU, ECDH_1PU_A128KW, ECDH_1PU_A192KW, ECDH_1PU_A256KW
  • keyIdType (string, optional): Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
  • notBeforeTime (string, optional): ISO 8601 date/time when the key becomes valid. If not provided, current time is used
  • expirationTime (string, optional): ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Request Body Fields

FieldTypeRequiredDescription
namestringYesJWK name (unique identifier)
descriptionstringNoJWK description
typestringYesJWK type: RSA, EC, OCT, OKP
kidstringNoKey ID (kid) - Unique identifier for the key. If not provided, a default kid will be generated
rsaobjectConditionalRSA-specific parameters (required if type is RSA)
ecobjectConditionalEC-specific parameters (required if type is EC)
octobjectConditionalOCT-specific parameters (required if type is OCT)
okpobjectConditionalOKP-specific parameters (required if type is OKP)

RSA Object Fields

FieldTypeRequiredDescription
keySizeintegerYesKey size in bits. Valid values: 2048, 3072, 4096
keyUseTypestringNoKey usage type. Valid values: SIGNATURE, ENCRYPTION. Default: SIGNATURE
algorithmstringNoAlgorithm to use with this key. For SIGNATURE: RSA256, RSA384, RSA512, PS256, PS384, PS512. For ENCRYPTION: RSA1_5 (deprecated), RSA_OAEP (deprecated), RSA_OAEP_256, RSA_OAEP_384, RSA_OAEP_512
keyIdTypestringNoMethod to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
notBeforeTimestringNoISO 8601 date/time when the key becomes valid. If not provided, current time is used
expirationTimestringNoISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

EC Object Fields

FieldTypeRequiredDescription
curveTypestringYesCurve name. Valid values: P256, P384, P521, SECP256K1
keyUseTypestringNoKey usage type. Valid values: SIGNATURE, ENCRYPTION. Default: SIGNATURE
algorithmstringNoAlgorithm to use with this key. For SIGNATURE: ES256, ES384, ES512, ES256K. For ENCRYPTION: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, ECDH_1PU, ECDH_1PU_A128KW, ECDH_1PU_A192KW, ECDH_1PU_A256KW
keyIdTypestringNoMethod to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
notBeforeTimestringNoISO 8601 date/time when the key becomes valid. If not provided, current time is used
expirationTimestringNoISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

OCT Object Fields

FieldTypeRequiredDescription
keySizeintegerYesKey size in bits. Valid values: 128, 192, 256
keyUseTypestringNoKey usage type. Valid values: SIGNATURE, ENCRYPTION. Default: SIGNATURE
algorithmstringNoAlgorithm to use with this key. For SIGNATURE: HS256, HS384, HS512. For ENCRYPTION: A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, DIR, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW
keyIdTypestringNoMethod to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
passwordSaltLengthintegerNoSalt length for password-based encryption. Default: 8
passwordIterationCountintegerNoIteration count for password-based encryption. Default: 1000
notBeforeTimestringNoISO 8601 date/time when the key becomes valid. If not provided, current time is used
expirationTimestringNoISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

OKP Object Fields

FieldTypeRequiredDescription
curveTypestringYesCurve name. Valid values: ED25519, X25519 (Note: Ed448 and X448 are currently unsupported)
keyUseTypestringNoKey usage type. Valid values: SIGNATURE, ENCRYPTION. Default: SIGNATURE
algorithmstringNoAlgorithm to use with this key. For SIGNATURE: EdDSA. For ENCRYPTION: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, ECDH_1PU, ECDH_1PU_A128KW, ECDH_1PU_A192KW, ECDH_1PU_A256KW
keyIdTypestringNoMethod to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
notBeforeTimestringNoISO 8601 date/time when the key becomes valid. If not provided, current time is used
expirationTimestringNoISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Notes

  • name must be unique within the project
  • type determines the cryptographic algorithm and which type-specific object (rsa, ec, oct, or okp) must be provided
  • kid (Key ID) is optional. If not provided, a default kid will be automatically generated. The kid is used to identify the key in JWK Sets and JWT headers
  • Type-specific parameters are required based on the selected type
  • JWK is automatically deployed to all environments after generation

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "message": "Deployment completed successfully",
    "environmentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployed successfully"
      }
    ]
  }
}

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "JWK name can not be empty!"
}
or 
{
  "error": "bad_request",
  "error_description": "JWK type can not be empty!"
}
or 
{
  "error": "bad_request",
  "error_description": "JWK (name: generated-jwk) is already exist! Try update operation if want to change its value."
}

cURL Examples

Example 1: Generate RSA JWK (2048-bit)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-rsa-jwk",
    "description": "Auto-generated RSA 2048-bit JWK",
    "type": "RSA",
    "kid": "rsa-2048-key-1",
    "rsa": {
      "keySize": 2048
    }
  }'

Example 2: Generate RSA JWK (4096-bit)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-rsa-4096-jwk",
    "description": "Auto-generated RSA 4096-bit JWK",
    "type": "RSA",
    "kid": "rsa-4096-key-1",
    "rsa": {
      "keySize": 4096
    }
  }'

Example 3: Generate EC JWK (P-256)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-ec-jwk",
    "description": "Auto-generated EC P-256 JWK",
    "type": "EC",
    "kid": "ec-p256-key-1",
    "ec": {
      "curveType": "P256"
    }
  }'

Example 4: Generate EC JWK (P-384)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-ec-p384-jwk",
    "description": "Auto-generated EC P-384 JWK",
    "type": "EC",
    "kid": "ec-p384-key-1",
    "ec": {
      "curveType": "P384"
    }
  }'

Example 5: Generate OCT JWK (256-bit symmetric key)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-oct-jwk",
    "description": "Auto-generated 256-bit symmetric key",
    "type": "OCT",
    "kid": "oct-256-key-1",
    "oct": {
      "keySize": 256
    }
  }'

Example 6: Generate OKP JWK (Ed25519)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-okp-jwk",
    "description": "Auto-generated Ed25519 JWK",
    "type": "OKP",
    "kid": "okp-ed25519-key-1",
    "okp": {
      "curveType": "ED25519"
    }
  }'

Example 7: Generate OKP JWK (X25519 for key exchange)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-x25519-jwk",
    "description": "Auto-generated X25519 JWK for key exchange",
    "type": "OKP",
    "kid": "okp-x25519-key-1",
    "okp": {
      "curveType": "X25519"
    }
  }'

Notes and Warnings

  • JWK Name:
    • Must be unique within the project
  • JWK Types and Use Cases:
    • RSA:
      • Recommended for most use cases, supports signing and encryption
      • Key sizes: 2048 (standard), 3072 (high security), 4096 (maximum security)
      • Larger keys provide better security but slower operations
      • Use for JWT signing (RS256, RS384, RS512) and encryption (RSA-OAEP)
    • EC (Elliptic Curve):
      • Smaller key sizes, good for constrained environments
      • Curves: P-256 (256-bit), P-384 (384-bit), P-521 (521-bit)
      • Use for JWT signing (ES256, ES384, ES512)
      • More efficient than RSA for same security level
    • OCT (Symmetric Key):
      • Symmetric keys for encryption and signing
      • Key sizes: 128, 192, 256 bits
      • Use for JWT signing (HS256, HS384, HS512) and encryption (AES)
      • Requires secure key distribution
    • OKP (Octet Key Pair):
      • Modern curve-based keys
      • Ed25519/Ed448: For signing (EdDSA algorithm)
      • X25519/X448: For key exchange (ECDH)
      • Very efficient and secure
      • Use for modern applications requiring high performance
  • Type-Specific Parameters:
    • Each JWK type requires its corresponding parameter object (rsa, ec, oct, or okp)
    • Parameters must match the selected type
    • Invalid parameter combinations will result in validation errors
  • Automatic Deployment:
    • JWK is automatically deployed after generation
    • Deployment results are returned in the response
  • Security:
    • Generated keys are cryptographically secure
    • Private keys are encrypted at rest
    • Key generation uses secure random number generators
  • Performance Considerations:
    • RSA: Larger key sizes (4096) are slower but more secure
    • EC: Faster than RSA for equivalent security
    • OKP: Fastest option, ideal for high-performance scenarios
    • OCT: Fastest for symmetric operations

Permissions

User must have SECRETS + MANAGE permission in the project. For deployment operations (when deploying JWKs to environments), user must also have SECRETS + DEPLOY_UNDEPLOY permission.