Skip to content


The api-gateway service can issue signed JWTs in the two following scenarios :

  • OpenID Connect (OIDC) authentication : Once authenticating web clients (loaded from pages or console services) has received an authorization code from OIDC server (the api gateway), they exchange it with a JWT
  • Anonymous authentication : The /v2/login/anonymous initiates anonymous &unauthenticated sessions, receiving a userId, sessionId and a JWT in response

On the other hand, authenticated users can also generate accessTokens (with /v2/user/accessToken APIs) to grant any script / technical account same privileges they have for a longer & predefined session duration. These accessTokens are opaque tokens generated with NodeJS crypto.randomUUID() method.

JWTs signing


api-gateway signs JWT using a JWK automatically rotated & stored inside api-gateway database.

When the currently active (i.e used for signing JWTs) JWK is rotated, it remains available for JWTs verification, but new session JWTs are signed using a new JWK.

JWKs are removed ACCESS_TOKENS_MAX_AGE (max JWT expiration time) after their rotation, once all of their signed JWTs should have expired.
On JWK rotation or removal, every api-gateway but also runtime instances are synchronized with updated JWK store through events (gateway.jwks.updated and runtime.jwks.updated).
Indeed, runtime needs to be able to send requests on user behalf, and thus needs to receive new signing JWK whenever it is updated.

However, this rotation only happens during api-gateway startup, so JWKs might not be rotated exactly on configured rotation period.

If the signing JWT has leaked, it must be manually deleted from database before restarting both api-gateway and runtime services.

Public keys are available at


api-gateway supports the following environment variables for JWK & JWTs configuration :

Environment variable Description Default value
JWKS_ROTATION_DAYS Rotation period in days 30
JWKS_KTY JWK Algorithm family, see node-jose RSA
JWKS_ALG JWK signature algorithm, see node-jose RS256
JWKS_SIZE JWK size, see node-jose 2048
ACCESS_TOKENS_MAX_AGE JWT expiration time in seconds 2592000 (30 days)