Skip to content

JWT Signing Key

Service Name: JSON Web Token (JWT)

Service Description: JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed using a secret (HMAC algorithm) or a public/private key pair.

Service Address: Not applicable - JWT is a standard, not a specific service

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants the ability to sign and verify JWT tokens, which can provide authentication and authorization capabilities for applications and APIs.

Secret Revokement URL: Does not exist (JWT keys must be rotated at the application level)

Secret Example: MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKj

Suspicious Activity Investigation Instructions:

  • Review application logs for unusual token generation or verification activities
  • Check for unexpected authentication successes from unknown sources
  • Monitor for increased API usage patterns that might indicate token abuse
  • Examine token payloads for suspicious claims or unexpected values
  • Verify that token expiration times are being properly enforced

Mitigation Instructions:

  • Immediately rotate the JWT signing key in all environments
  • Update the key in all services that use it for token verification

  • Implement a new signing key with stronger encryption if necessary

  • Revoke and reissue all active tokens that were signed with the compromised

key

  • Consider implementing shorter token expiration times
  • Add additional claims validation to prevent token misuse
  • Implement proper key management practices including regular rotation
  • Consider using a managed identity provider if handling JWT manually