Keys

Keys #

jwt

A magician is only an actor, an actor pretending to be a magician. – Harry Houdini

JWT tokens #

The AppKey authentication process returns a JWT token after validating the user’s Passkey during login. JWT authentication relies on public/private key encryption. The AppKey provider generates and signs JWT authorization tokens using a private key known only to it. The developer is provided with the corresponding public key, which is used to verify the JWT signature on the client side within the application. Given that JWT tokens are based on RSA public/private key encryption, a man-in-the-middle attack between the AppKey authentication provider and the application is highly unlikely.

Authentication best practices recommend JWT authentication as the preferred method for securing user access to an application. AppKey simplifies this process for developers by implementing Passkeys as the authentication method.

The AppKey service is developer-focused and consists of two main components:

  • A portal website for managing applications
  • A REST API for client applications to authenticate users

To use the service, a developer must first register through the AppKey Portal. The primary purpose of the portal is to manage user authentication and authorization for applications. The AppKey developer portal provides a straightforward interface for managing application users.

The AppKey REST API offers a runtime service that enables web or mobile applications to authenticate users and connect to the application set up in the AppKey Portal.

summary

Appplication keys #

In AppKey, each application provides two keys that developers need to integrate into their application code to enable passkey authentication. These keys are:

  • Public Key
  • App Token

keys

The public key is used by the application to verify that JWT tokens signed by AppKey are valid. This public key can be presented in two formats: the PEM format, which includes a ‘BEGIN PUBLIC KEY’ header, or as a raw public key - a long string of hexadecimal characters. The format you need depends on your application’s requirements. It’s important to note that only the public key provided in the AppKey Portal can be used to verify JWT signatures. These signatures are generated with a corresponding private key that is not shared with the developer.

The second key is the App Token. Developers use this token in the AppKey REST API to access services linked to their application. The App Token should remain confidential, as it uniquely identifies an authorized application client with access to the AppKey REST API.