Beta

Key Pairs & Signature

Learn how CakeAuth securely working with a ton of tokens

Overview

By default, CakeAuth implements a robust security model using asymmetric cryptography with primarily RS256 (RSA Signature with SHA-256) algorithm for signing and verifying each tokens.

This documentation explains the key management system and signature process that ensures secure token handling across different environments.

Environment-Specific Keys

Yes, you read it correctly. CakeAuth issues a unique keys for each of your environment. Each user environment in CakeAuth is provisioned with its own dedicated set of cryptographic key-pairs.

  1. Private Signing Key

    • Used for signing new tokens
    • Never exposed outside the CakeAuth system
    • Stored in secure, encrypted storage (even we can't read the actual values)
    • Critical for maintaining token authenticity

  2. Public Verification Key

    • Used by client applications to verify token signatures
    • Safely shareable with client applications
    • Available through the JWKS endpoint
    • Enables decentralized token verification

Reading my Public Keys

You can geread keys for your environment on your environment host. For example:

https://my-cool-app.live.cakeauth.app/.well-known/jwks.json

It will returns in the JSON Web Key Sets (JWKS) json format. For example:

{
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "ext": true,
      "kty": "RSA",
      "n": "key-1-values",
      "use": "sig",
      "kid": "key_qziojlr8u7rczho7xqkr2gdvygnj1lw5"
    },
    {
      "alg": "RS256",
      "e": "AQAB",
      "ext": true,
      "kty": "RSA",
      "n": "key-2-values",
      "use": "sig",
      "kid": "key_e50kkkmsdsmnxjiugf0q5zy5b9f5o6er"
    },
    {
      "alg": "RS256",
      "e": "AQAB",
      "ext": true,
      "kty": "RSA",
      "n": "key-3-values",
      "use": "sig",
      "kid": "key_7ozy0gjnc6rn4ecf8ie53yoeeepcewbz"
    }
  ]
}

Please note that the endpoint will only returns the public key!

Convert it back to Public Key value

There are a ton of ways you can convert the JWKS object to its public key value. For example, in js environment, you can use jwk-to-pem library:

import jwkToPem from "jwk-to-pem";
 
const jwk = {
  alg: "RS256",
  e: "AQAB",
  ext: true,
  kty: "RSA",
  n: "xxxx",
  use: "sig",
  kid: "key_qziojlr8u7rczho7xqkr2gdvygnj1lw5",
};
 
jwkToPem(jwk);

How we generate & manage keys

Key Generation

For every enviornment, we generate sets of key-pairs dedicated for each environment (both Development Environment or Production Environment).

We are using AWS KMS to securely generate and encrypt every keys that each environment needs. We use root-keys mechanism to encrypt your encryption keys, which in turn sign your tokens securely too.

So in short, we don't even know the actual key values of each private keys. Achieving upmost security at our stage possible.

image

Key Storage

Keys are stored securely with the following procedures:

  • Encrypted at rest and transit
  • Keys and other secrets are securely managed with Key Management Services
  • Access controlled through fine-grained permissions
  • Regular backup procedures
  • Internal audit logging for all key operations

Last updated on

Previous

Data structure

Next

Overview

On this page