Create JWK

Overview

Creates a new JWK (JSON Web Key) and deploys it to environments. JWKs can be created from various sources including URLs, JSON strings, certificates, keys, keystores, or generated programmatically.

Endpoint

POST /apiops/projects/{projectName}/jwks/

Authentication

Requires a Personal API Access Token.

Header

Authorization: Bearer YOUR_TOKEN

Request

Headers

Header	Value	Required
Authorization	Bearer {token}	Yes
Content-Type	application/json	Yes

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name

Request Body

The request body varies based on the sourceType. All source types require:

{
  "name": "my-jwk",
  "description": "JWK for API authentication",
  "sourceType": "URL"
}

Source Type: URL

{
  "name": "my-jwk",
  "description": "JWK from URL",
  "sourceType": "URL",
  "url": "https://example.com/.well-known/jwks.json",
  "urlOptionConnectTimeout": 5000,
  "urlOptionReadTimeout": 10000,
  "urlOptionSizeLimit": 1048576,
  "kid": "key-id-1"
}

Note: If the URL returns a JWK Set (array of keys), use kid to specify which key to use from the array.

Source Type: COPY_PASTE

{
  "name": "my-jwk",
  "description": "JWK from JSON string",
  "sourceType": "COPY_PASTE",
  "jwkStr": "{\"kty\":\"RSA\",\"n\":\"...\",\"e\":\"AQAB\"}",
  "kid": "key-id-1"
}

Note: If jwkStr contains a JWK Set (array of keys), use kid to specify which key to use from the array.

Source Type: CERTIFICATE

{
  "name": "my-jwk",
  "description": "JWK from certificate",
  "sourceType": "CERTIFICATE",
  "certificateName": "my-certificate",
  "environmentName": "production",
  "useType": "SIGNATURE",
  "algorithm": "RS256"
}

Source Type: PUBLIC_KEY or PRIVATE_KEY

{
  "name": "my-jwk",
  "description": "JWK from key",
  "sourceType": "PUBLIC_KEY",
  "keyName": "my-key",
  "environmentName": "production",
  "useType": "SIGNATURE",
  "algorithm": "RS256"
}

Source Type: KEYSTORE

{
  "name": "my-jwk",
  "description": "JWK from keystore",
  "sourceType": "KEYSTORE",
  "keyStoreName": "my-keystore",
  "environmentName": "production",
  "aliasName": "my-alias",
  "useType": "SIGNATURE",
  "algorithm": "RS256"
}

Request Body Fields

Field	Type	Required	Description
name	string	Yes	JWK name (unique identifier)
description	string	No	JWK description
sourceType	string	Yes	Source type: URL, COPY_PASTE, CERTIFICATE, PUBLIC_KEY, PRIVATE_KEY, KEYSTORE
url	string	Conditional	URL to fetch JWK from (required if sourceType is URL)
urlOptionConnectTimeout	integer	No	Connection timeout in milliseconds (default: 5000)
urlOptionReadTimeout	integer	No	Read timeout in milliseconds (default: 10000)
urlOptionSizeLimit	integer	No	Maximum response size in bytes (default: 1048576)
jwkStr	string	Conditional	JWK JSON string (required if sourceType is COPY_PASTE)
certificateName	string	Conditional	Certificate name (required if sourceType is CERTIFICATE)
keyName	string	Conditional	Key name (required if sourceType is PUBLIC_KEY or PRIVATE_KEY)
keyStoreName	string	Conditional	Keystore name (required if sourceType is KEYSTORE)
kid	string	Conditional	Key ID (kid) - Required for URL and COPY_PASTE source types when the source contains multiple keys (JWK Set)
environmentName	string	Conditional	Environment name (required for CERTIFICATE, KEY, KEYSTORE source types)
aliasName	string	Conditional	Alias name in keystore (required if sourceType is KEYSTORE)
useType	string	Conditional	Use type: SIGNATURE, ENCRYPTION (required for CERTIFICATE, KEY, KEYSTORE source types)
algorithm	string	Conditional	Algorithm to use with the key (required for CERTIFICATE, KEY, KEYSTORE source types). See Notes section for valid algorithm values based on key type and useType.

Notes

• name must be unique within the project
• For GENERATE source type, use the Generate JWK endpoint
• Certificate, Key, and Keystore must exist and be accessible in the specified environment
• JWK is automatically deployed to all environments after creation
• algorithm: This field specifies the cryptographic algorithm to use with the key. The value must match the key type and useType:
  • RSA with SIGNATURE: RS256, RS384, RS512, PS256, PS384, PS512
  • RSA with ENCRYPTION: RSA1_5 (deprecated), RSA-OAEP (deprecated), RSA-OAEP-256, RSA-OAEP-384, RSA-OAEP-512
  • EC with SIGNATURE: ES256, ES384, ES512, ES256K
  • EC with ENCRYPTION: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-1PU, ECDH-1PU+A128KW, ECDH-1PU+A192KW, ECDH-1PU+A256KW
  • OCT with SIGNATURE: HS256, HS384, HS512
  • OCT with ENCRYPTION: A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, DIR, PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW
  • OKP with SIGNATURE: EdDSA
  • OKP with ENCRYPTION: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, ECDH-1PU, ECDH-1PU+A128KW, ECDH-1PU+A192KW, ECDH-1PU+A256KW
• Important: algorithm must be a valid algorithm name, not a key type (e.g., use RS256 not RSA)

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "message": "Deployment completed successfully",
    "environmentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployed successfully"
      },
      {
        "environmentName": "staging",
        "success": true,
        "message": "Deployed successfully"
      }
    ]
  }
}

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "JWK name can not be empty!"
}

or

{
  "error": "bad_request",
  "error_description": "JWK (name: my-jwk) is already exist! Try update operation if want to change its value."
}

or

{
  "error": "bad_request",
  "error_description": "Source type is required!"
}

or

{
  "error": "bad_request",
  "error_description": "URL is required for URL source type!"
}

or

{
  "error": "bad_request",
  "error_description": "Certificate (name: my-certificate) is not found!"
}

cURL Example

Example 1: Create JWK from URL

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-jwk",
    "description": "JWK from URL",
    "sourceType": "URL",
    "url": "https://example.com/.well-known/jwks.json"
  }'

Example 2: Create JWK from JSON String

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-jwk",
    "description": "JWK from clipboard",
    "sourceType": "COPY_PASTE",
    "jwkStr": "{\"kty\":\"RSA\",\"n\":\"...\",\"e\":\"AQAB\"}"
  }'

Example 3: Create JWK from Certificate

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-jwk",
    "description": "JWK from certificate",
    "sourceType": "CERTIFICATE",
    "certificateName": "my-certificate",
    "environmentName": "production",
    "useType": "SIGNATURE",
    "algorithm": "RS256"
  }'

Notes and Warnings

• JWK Name:
  • Must be unique within the project
  • Cannot be changed after creation
• Source Types:
  • URL: Fetches JWK from a remote URL
  • COPY_PASTE: Creates JWK from JSON string
  • CERTIFICATE: Extracts JWK from existing certificate
  • PUBLIC_KEY/PRIVATE_KEY: Extracts JWK from existing key
  • KEYSTORE: Extracts JWK from keystore alias
  • GENERATE: Use Generate JWK endpoint instead
• Automatic Deployment:
  • JWK is automatically deployed after creation
  • Deployment results are returned in the response
• Permissions:
  • Requires ROLE_API_SECURITY permission
  • Requires ROLE_DEPLOY_UNDEPLOY_PROXIES permission for deployment
  • User must have access to the project and referenced resources

Related Documentation

• List JWKs - List all JWKs
• Get JWK - Get a specific JWK
• Generate JWK - Generate a new JWK
• Update JWK - Update a JWK