A named JWT signing service. Each issuer has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can have isolated trust roots.
Authorization to use an issuer is granted via standard policies:
a policy rule permitting the 'update' operation on
/strongbox/jwt-issuers/<name>/roles/<role>/mint lets the bearer
mint JWTs constrained by that role.
Named JWT signing services. Each issuer is independent: it has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can be given JWTs minted from isolated trust roots.
Authorization to mint is granted via standard policies on
/strongbox/jwt-issuers/<name>/roles/<role>/mint.
| name | string <name> |
| signing-key required | string <leafref> Transit key used to sign JWTs. Must be ecdsa-p256, ecdsa-p384, rsa-2048 or stronger, or ed25519. The recommendation is ecdsa-p256. Rotation of the underlying transit key produces a new 'kid' which appears in the JWKS during the overlap window. The signing key should be configured to rotate every 3-6 months. |
| issuer | string Value placed in the 'iss' claim of all JWTs issued by this service. Typically the public HTTPS URL of this issuer's OIDC discovery document. When omitted, the issuer is auto-derived as
https://api. |
| default-ttl | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Default TTL applied when a mint request does not specify a TTL and the invoked role does not override the default. |
| max-ttl | string <duration> Default: "24h" A duration in years, days, hours, minutes and seconds. Format is Examples: Hard cap on the TTL of minted JWTs. Per-role max-ttl values further constrain this. |
| verbose-logging | boolean Default: false Enable verbose logging for mint attempts on this issuer. Useful for debugging role constraints and template expansion. |
to (object) or sites (object) or deployments (object) Default: "to" |
Created
Bad Request
Unauthorized
Forbidden
Not Found
Conflict (instance exists)
Service Unavailable (strongbox sealed)
name: payments-api signing-key: payments-jwt-key issuer: https://strongbox.example.com/jwt/payments-api default-ttl: 1h max-ttl: 1d verbose-logging: false distribute: to: all
Named JWT signing services. Each issuer is independent: it has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can be given JWTs minted from isolated trust roots.
Authorization to mint is granted via standard policies on
/strongbox/jwt-issuers/<name>/roles/<role>/mint.
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| validate | string <enumeration> Validate the request but do not actually perform the requested operation |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
- name: payments-api signing-key: payments-jwt-key issuer: https://strongbox.example.com/jwt/payments-api default-ttl: 1h max-ttl: 1d verbose-logging: false distribute: to: all
Named JWT signing services. Each issuer is independent: it has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can be given JWTs minted from isolated trust roots.
Authorization to mint is granted via standard policies on
/strongbox/jwt-issuers/<name>/roles/<role>/mint.
| name | string <name> |
| signing-key required | string <leafref> Transit key used to sign JWTs. Must be ecdsa-p256, ecdsa-p384, rsa-2048 or stronger, or ed25519. The recommendation is ecdsa-p256. Rotation of the underlying transit key produces a new 'kid' which appears in the JWKS during the overlap window. The signing key should be configured to rotate every 3-6 months. |
| issuer | string Value placed in the 'iss' claim of all JWTs issued by this service. Typically the public HTTPS URL of this issuer's OIDC discovery document. When omitted, the issuer is auto-derived as
https://api. |
| default-ttl | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Default TTL applied when a mint request does not specify a TTL and the invoked role does not override the default. |
| max-ttl | string <duration> Default: "24h" A duration in years, days, hours, minutes and seconds. Format is Examples: Hard cap on the TTL of minted JWTs. Per-role max-ttl values further constrain this. |
| verbose-logging | boolean Default: false Enable verbose logging for mint attempts on this issuer. Useful for debugging role constraints and template expansion. |
to (object) or sites (object) or deployments (object) Default: "to" |
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: payments-api signing-key: payments-jwt-key issuer: https://strongbox.example.com/jwt/payments-api default-ttl: 1h max-ttl: 1d verbose-logging: false distribute: to: all
Named JWT signing services. Each issuer is independent: it has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can be given JWTs minted from isolated trust roots.
Authorization to mint is granted via standard policies on
/strongbox/jwt-issuers/<name>/roles/<role>/mint.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
Named JWT signing services. Each issuer is independent: it has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can be given JWTs minted from isolated trust roots.
Authorization to mint is granted via standard policies on
/strongbox/jwt-issuers/<name>/roles/<role>/mint.
| name | string <name> |
| signing-key required | string <leafref> Transit key used to sign JWTs. Must be ecdsa-p256, ecdsa-p384, rsa-2048 or stronger, or ed25519. The recommendation is ecdsa-p256. Rotation of the underlying transit key produces a new 'kid' which appears in the JWKS during the overlap window. The signing key should be configured to rotate every 3-6 months. |
| issuer | string Value placed in the 'iss' claim of all JWTs issued by this service. Typically the public HTTPS URL of this issuer's OIDC discovery document. When omitted, the issuer is auto-derived as
https://api. |
| default-ttl | string <duration> Default: "1h" A duration in years, days, hours, minutes and seconds. Format is Examples: Default TTL applied when a mint request does not specify a TTL and the invoked role does not override the default. |
| max-ttl | string <duration> Default: "24h" A duration in years, days, hours, minutes and seconds. Format is Examples: Hard cap on the TTL of minted JWTs. Per-role max-ttl values further constrain this. |
| verbose-logging | boolean Default: false Enable verbose logging for mint attempts on this issuer. Useful for debugging role constraints and template expansion. |
to (object) or sites (object) or deployments (object) Default: "to" |
Created
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: payments-api signing-key: payments-jwt-key issuer: https://strongbox.example.com/jwt/payments-api default-ttl: 1h max-ttl: 1d verbose-logging: false distribute: to: all
Named JWT signing services. Each issuer is independent: it has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can be given JWTs minted from isolated trust roots.
Authorization to mint is granted via standard policies on
/strongbox/jwt-issuers/<name>/roles/<role>/mint.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: payments-api signing-key: payments-jwt-key issuer: https://strongbox.example.com/jwt/payments-api default-ttl: 1h max-ttl: 1d verbose-logging: false distribute: to: all
Named JWT signing services. Each issuer is independent: it has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can be given JWTs minted from isolated trust roots.
Authorization to mint is granted via standard policies on
/strongbox/jwt-issuers/<name>/roles/<role>/mint.
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
- name: payments-api signing-key: payments-jwt-key issuer: https://strongbox.example.com/jwt/payments-api default-ttl: 1h max-ttl: 1d discovery-url: https://strongbox.example.com/jwt/payments-api verbose-logging: false distribute: to: all distribution-status: to: all
Named JWT signing services. Each issuer is independent: it has its own transit signing key, its own 'iss' claim, and its own OIDC discovery endpoint, so different relying parties can be given JWTs minted from isolated trust roots.
Authorization to mint is granted via standard policies on
/strongbox/jwt-issuers/<name>/roles/<role>/mint.
| fields | string Retrieve only requested fields from the resource See section fields |
| where | string Retrieve only items matching the given expression. See section where |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
name: payments-api signing-key: payments-jwt-key issuer: https://strongbox.example.com/jwt/payments-api default-ttl: 1h max-ttl: 1d discovery-url: https://strongbox.example.com/jwt/payments-api verbose-logging: false distribute: to: all distribution-status: to: all