Use encodeToken to generate a token signed with RS256

Hi, I am trying to use api.redirect.encodeToken inside an action to encode my token and then send it via sendUserTo. I want to use RS256.

Here is a sample of the code

  const token = api.redirect.encodeToken({
    secret: event.secrets.SECRET_KEY,
    expiresInSeconds: 120,
    payload: {
      // Custom claims to be added to the token
      email: event.user.email,
    },
  });

For the SECRET KEY I am using a RS256 key that I am using in other parts of my app. It works fine anywhere else (validating it with jose).

The problem is, when I decode the token that is generated by the action, its always HS256

Checking the OAuth settings of my app settings I can see its set to RS256 ( and the access token and id_token are both signed with RS256).

I guess the question is, what am I doing wrong or is there any way to sign with RS256 the tokens generated by actions?

I can always import jose and create my own token manually but would love to avoid it

Hey @tomas4, the encodeToken function signs the token with an HS256 signature. It does not support RS256. The secret you pass to it is just a secret key/passphrase, and not an RS256 key. The same secret should be used in the application to validate the token.

If you’d like the token to be signed with RS256, you’ll need to import an npm module like jsonwebtoken and use its methods.

2 Likes