Generate JWK

Overview

Generates a new JWK (JSON Web Key) programmatically and deploys it to environments. This endpoint creates a cryptographically secure JWK based on the specified type and parameters.

Endpoint

POST /apiops/projects/{projectName}/jwks/generate

Authentication

Requires a Personal API Access Token.

Authorization: Bearer YOUR_TOKEN

Request

Headers

Header Value Required
Authorization Bearer {token} Yes
Content-Type application/json Yes

Path Parameters

Parameter Type Required Description
projectName string Yes Project name

Request Body

The request body structure varies based on the JWK type. All types require name and type fields.

Type: RSA

{
  "name": "generated-rsa-jwk",
  "description": "Auto-generated RSA JWK",
  "type": "RSA",
  "kid": "rsa-key-1",
  "rsa": {
    "keySize": 2048,
    "keyUseType": "SIGNATURE",
    "algorithm": "RSA256",
    "keyIdType": "TIMESTAMP",
    "notBeforeTime": "2024-01-01T00:00:00Z",
    "expirationTime": "2025-01-01T00:00:00Z"
  }
}

RSA Parameters:

  • keySize (integer): Key size in bits. Common values: 2048, 3072, 4096
    • 2048: Standard size, good balance of security and performance
    • 3072: Higher security, recommended for long-term use
    • 4096: Maximum security, slower operations
  • keyUseType (string, optional): Key usage type. Valid values: SIGNATURE, ENCRYPTION
    • SIGNATURE: Key is used for signing (default)
    • ENCRYPTION: Key is used for encryption
  • algorithm (string, optional): Algorithm to use with this key. Valid values:
    • For SIGNATURE: RSA256, RSA384, RSA512, PS256, PS384, PS512
    • For ENCRYPTION: RSA1_5 (deprecated), RSA_OAEP (deprecated), RSA_OAEP_256, RSA_OAEP_384, RSA_OAEP_512
  • keyIdType (string, optional): Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
  • notBeforeTime (string, optional): ISO 8601 date/time when the key becomes valid. If not provided, current time is used
  • expirationTime (string, optional): ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Type: EC (Elliptic Curve)

{
  "name": "generated-ec-jwk",
  "description": "Auto-generated EC JWK",
  "type": "EC",
  "kid": "ec-key-1",
  "ec": {
    "curveType": "P256",
    "keyUseType": "SIGNATURE",
    "algorithm": "ES256",
    "keyIdType": "TIMESTAMP",
    "notBeforeTime": "2024-01-01T00:00:00Z",
    "expirationTime": "2025-01-01T00:00:00Z"
  }
}

EC Parameters:

  • curveType (string): Curve name. Valid values: P256, P384, P521, SECP256K1
    • P256: 256-bit curve (NIST P-256, secp256r1)
    • P384: 384-bit curve (NIST P-384, secp384r1)
    • P521: 521-bit curve (NIST P-521, secp521r1)
    • SECP256K1: secp256k1 curve (used in Bitcoin)
  • keyUseType (string, optional): Key usage type. Valid values: SIGNATURE, ENCRYPTION
    • SIGNATURE: Key is used for signing (default)
    • ENCRYPTION: Key is used for encryption
  • algorithm (string, optional): Algorithm to use with this key. Valid values:
    • For SIGNATURE: ES256, ES384, ES512, ES256K
    • For ENCRYPTION: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, ECDH_1PU, ECDH_1PU_A128KW, ECDH_1PU_A192KW, ECDH_1PU_A256KW
  • keyIdType (string, optional): Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
  • notBeforeTime (string, optional): ISO 8601 date/time when the key becomes valid. If not provided, current time is used
  • expirationTime (string, optional): ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Type: OCT (Octet Sequence - Symmetric Key)

{
  "name": "generated-oct-jwk",
  "description": "Auto-generated symmetric key",
  "type": "OCT",
  "kid": "oct-key-1",
  "oct": {
    "keySize": 256,
    "keyUseType": "SIGNATURE",
    "algorithm": "HS256",
    "keyIdType": "TIMESTAMP",
    "passwordSaltLength": 8,
    "passwordIterationCount": 1000,
    "notBeforeTime": "2024-01-01T00:00:00Z",
    "expirationTime": "2025-01-01T00:00:00Z"
  }
}

OCT Parameters:

  • keySize (integer): Key size in bits. Common values: 128, 192, 256
    • 128: 128-bit key (16 bytes)
    • 192: 192-bit key (24 bytes)
    • 256: 256-bit key (32 bytes) - Recommended
  • keyUseType (string, optional): Key usage type. Valid values: SIGNATURE, ENCRYPTION
    • SIGNATURE: Key is used for signing (default)
    • ENCRYPTION: Key is used for encryption
  • algorithm (string, optional): Algorithm to use with this key. Valid values:
    • For SIGNATURE: HS256, HS384, HS512
    • For ENCRYPTION: A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, DIR, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW
  • keyIdType (string, optional): Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
  • passwordSaltLength (integer, optional): Salt length for password-based encryption. Default: 8
  • passwordIterationCount (integer, optional): Iteration count for password-based encryption. Default: 1000
  • notBeforeTime (string, optional): ISO 8601 date/time when the key becomes valid. If not provided, current time is used
  • expirationTime (string, optional): ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Type: OKP (Octet Key Pair)

{
  "name": "generated-okp-jwk",
  "description": "Auto-generated OKP JWK",
  "type": "OKP",
  "kid": "okp-key-1",
  "okp": {
    "curveType": "ED25519",
    "keyUseType": "SIGNATURE",
    "algorithm": "EdDSA",
    "keyIdType": "TIMESTAMP",
    "notBeforeTime": "2024-01-01T00:00:00Z",
    "expirationTime": "2025-01-01T00:00:00Z"
  }
}

OKP Parameters:

  • curveType (string): Curve name. Valid values: ED25519, X25519
    • ED25519: Edwards Curve for signing (Ed25519)
    • X25519: Montgomery Curve for key exchange (X25519)
    • Note: Ed448 and X448 are currently unsupported
  • keyUseType (string, optional): Key usage type. Valid values: SIGNATURE, ENCRYPTION
    • SIGNATURE: Key is used for signing (default)
    • ENCRYPTION: Key is used for encryption
  • algorithm (string, optional): Algorithm to use with this key. Valid values:
    • For SIGNATURE: EdDSA
    • For ENCRYPTION: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, ECDH_1PU, ECDH_1PU_A128KW, ECDH_1PU_A192KW, ECDH_1PU_A256KW
  • keyIdType (string, optional): Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
  • notBeforeTime (string, optional): ISO 8601 date/time when the key becomes valid. If not provided, current time is used
  • expirationTime (string, optional): ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Request Body Fields

Field Type Required Description
name string Yes JWK name (unique identifier)
description string No JWK description
type string Yes JWK type: RSA, EC, OCT, OKP
kid string No Key ID (kid) - Unique identifier for the key. If not provided, a default kid will be generated
rsa object Conditional RSA-specific parameters (required if type is RSA)
ec object Conditional EC-specific parameters (required if type is EC)
oct object Conditional OCT-specific parameters (required if type is OCT)
okp object Conditional OKP-specific parameters (required if type is OKP)

RSA Object Fields

Field Type Required Description
keySize integer Yes Key size in bits. Valid values: 2048, 3072, 4096
keyUseType string No Key usage type. Valid values: SIGNATURE, ENCRYPTION. Default: SIGNATURE
algorithm string No Algorithm to use with this key. For SIGNATURE: RSA256, RSA384, RSA512, PS256, PS384, PS512. For ENCRYPTION: RSA1_5 (deprecated), RSA_OAEP (deprecated), RSA_OAEP_256, RSA_OAEP_384, RSA_OAEP_512
keyIdType string No Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
notBeforeTime string No ISO 8601 date/time when the key becomes valid. If not provided, current time is used
expirationTime string No ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

EC Object Fields

Field Type Required Description
curveType string Yes Curve name. Valid values: P256, P384, P521, SECP256K1
keyUseType string No Key usage type. Valid values: SIGNATURE, ENCRYPTION. Default: SIGNATURE
algorithm string No Algorithm to use with this key. For SIGNATURE: ES256, ES384, ES512, ES256K. For ENCRYPTION: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, ECDH_1PU, ECDH_1PU_A128KW, ECDH_1PU_A192KW, ECDH_1PU_A256KW
keyIdType string No Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
notBeforeTime string No ISO 8601 date/time when the key becomes valid. If not provided, current time is used
expirationTime string No ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

OCT Object Fields

Field Type Required Description
keySize integer Yes Key size in bits. Valid values: 128, 192, 256
keyUseType string No Key usage type. Valid values: SIGNATURE, ENCRYPTION. Default: SIGNATURE
algorithm string No Algorithm to use with this key. For SIGNATURE: HS256, HS384, HS512. For ENCRYPTION: A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, DIR, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW
keyIdType string No Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
passwordSaltLength integer No Salt length for password-based encryption. Default: 8
passwordIterationCount integer No Iteration count for password-based encryption. Default: 1000
notBeforeTime string No ISO 8601 date/time when the key becomes valid. If not provided, current time is used
expirationTime string No ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

OKP Object Fields

Field Type Required Description
curveType string Yes Curve name. Valid values: ED25519, X25519 (Note: Ed448 and X448 are currently unsupported)
keyUseType string No Key usage type. Valid values: SIGNATURE, ENCRYPTION. Default: SIGNATURE
algorithm string No Algorithm to use with this key. For SIGNATURE: EdDSA. For ENCRYPTION: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, ECDH_1PU, ECDH_1PU_A128KW, ECDH_1PU_A192KW, ECDH_1PU_A256KW
keyIdType string No Method to generate the key ID (kid). Valid values: TIMESTAMP (default), SHA256, SHA1, ISO_DATE, NONE
notBeforeTime string No ISO 8601 date/time when the key becomes valid. If not provided, current time is used
expirationTime string No ISO 8601 date/time when the key expires. If not provided, one year from notBeforeTime is used

Notes

  • name must be unique within the project
  • type determines the cryptographic algorithm and which type-specific object (rsa, ec, oct, or okp) must be provided
  • kid (Key ID) is optional. If not provided, a default kid will be automatically generated. The kid is used to identify the key in JWK Sets and JWT headers
  • Type-specific parameters are required based on the selected type
  • JWK is automatically deployed to all environments after generation

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "message": "Deployment completed successfully",
    "environmentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployed successfully"
      }
    ]
  }
}

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "JWK name can not be empty!"
}

or

{
  "error": "bad_request",
  "error_description": "JWK type can not be empty!"
}

or

{
  "error": "bad_request",
  "error_description": "JWK (name: generated-jwk) is already exist! Try update operation if want to change its value."
}

cURL Examples

Example 1: Generate RSA JWK (2048-bit)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-rsa-jwk",
    "description": "Auto-generated RSA 2048-bit JWK",
    "type": "RSA",
    "kid": "rsa-2048-key-1",
    "rsa": {
      "keySize": 2048
    }
  }'

Example 2: Generate RSA JWK (4096-bit)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-rsa-4096-jwk",
    "description": "Auto-generated RSA 4096-bit JWK",
    "type": "RSA",
    "kid": "rsa-4096-key-1",
    "rsa": {
      "keySize": 4096
    }
  }'

Example 3: Generate EC JWK (P-256)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-ec-jwk",
    "description": "Auto-generated EC P-256 JWK",
    "type": "EC",
    "kid": "ec-p256-key-1",
    "ec": {
      "curveType": "P256"
    }
  }'

Example 4: Generate EC JWK (P-384)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-ec-p384-jwk",
    "description": "Auto-generated EC P-384 JWK",
    "type": "EC",
    "kid": "ec-p384-key-1",
    "ec": {
      "curveType": "P384"
    }
  }'

Example 5: Generate OCT JWK (256-bit symmetric key)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-oct-jwk",
    "description": "Auto-generated 256-bit symmetric key",
    "type": "OCT",
    "kid": "oct-256-key-1",
    "oct": {
      "keySize": 256
    }
  }'

Example 6: Generate OKP JWK (Ed25519)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-okp-jwk",
    "description": "Auto-generated Ed25519 JWK",
    "type": "OKP",
    "kid": "okp-ed25519-key-1",
    "okp": {
      "curveType": "ED25519"
    }
  }'

Example 7: Generate OKP JWK (X25519 for key exchange)

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/jwks/generate" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "generated-x25519-jwk",
    "description": "Auto-generated X25519 JWK for key exchange",
    "type": "OKP",
    "kid": "okp-x25519-key-1",
    "okp": {
      "curveType": "X25519"
    }
  }'

Notes and Warnings

  • JWK Name:
    • Must be unique within the project
  • JWK Types and Use Cases:
    • RSA:
      • Recommended for most use cases, supports signing and encryption
      • Key sizes: 2048 (standard), 3072 (high security), 4096 (maximum security)
      • Larger keys provide better security but slower operations
      • Use for JWT signing (RS256, RS384, RS512) and encryption (RSA-OAEP)
    • EC (Elliptic Curve):
      • Smaller key sizes, good for constrained environments
      • Curves: P-256 (256-bit), P-384 (384-bit), P-521 (521-bit)
      • Use for JWT signing (ES256, ES384, ES512)
      • More efficient than RSA for same security level
    • OCT (Symmetric Key):
      • Symmetric keys for encryption and signing
      • Key sizes: 128, 192, 256 bits
      • Use for JWT signing (HS256, HS384, HS512) and encryption (AES)
      • Requires secure key distribution
    • OKP (Octet Key Pair):
      • Modern curve-based keys
      • Ed25519/Ed448: For signing (EdDSA algorithm)
      • X25519/X448: For key exchange (ECDH)
      • Very efficient and secure
      • Use for modern applications requiring high performance
  • Type-Specific Parameters:
    • Each JWK type requires its corresponding parameter object (rsa, ec, oct, or okp)
    • Parameters must match the selected type
    • Invalid parameter combinations will result in validation errors
  • Automatic Deployment:
    • JWK is automatically deployed after generation
    • Deployment results are returned in the response
  • Security:
    • Generated keys are cryptographically secure
    • Private keys are encrypted at rest
    • Key generation uses secure random number generators
  • Performance Considerations:
    • RSA: Larger key sizes (4096) are slower but more secure
    • EC: Faster than RSA for equivalent security
    • OKP: Fastest option, ideal for high-performance scenarios
    • OCT: Fastest for symmetric operations
  • Permissions:
    • Requires ROLE_API_SECURITY permission
    • Requires ROLE_DEPLOY_UNDEPLOY_PROXIES permission for deployment