Can I generate a JWT token by using the application's private key inside the rule?

I need to generate a JWT token signed by one of my applications inside my rule to request my server before authorizing the user to login. I found the solution below, and I can’t get the application’s private key.

function createToken(clientId, clientSecret, issuer, user) {
  const options = {
    expiresInMinutes: 5,
    audience: clientId,
    issuer: issuer
  };
  return jwt.sign(user, clientSecret, options);

Hi @wubenhe

I don’t think you can. But I don’t think you should, either.

Instead, generate your own key pair, and make sure your middleware accepts either key as appropriate.

But, do you really need a JWT here? Having one introduces a lot of complexity and potential security issues.

John

Thank you for the confirmation!
I want to check is a way to avoid adding another check in my system to allow other access keys.

1 Like