This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
In some cases people may want to issue JWTs that are valid longer than the normal access token signing key rotation.
- Enable using both static and dynamic keys for jwt signing
- Use separate non-expiring keys for jwts
We enable using both static and dynamic keys to sign JWTs:
- Since this decision we want to only expose a single set of keys for jwts and access tokens
- We can add both static and dynamic (or refreshing/expiring) keys to this keyset
- We could use either keyset for both access tokens and JWTs, replacing the
access_token_signing_key_dynamiccore config option
- By default, access tokens will be signed using dynamic keys. This can be changed through a setting in the BE SDK. (this replaces the core config option). The
useDynamicAccessTokenSigningKey: booleanproperty will be added to the Session recipe configuration.
- By default, jwts will be signed using the static key. This can be controlled through a parameter passed to the
- We should rename
access_token_dynamic_signing_key_update_intervalin the core config.