masstack

V1
API Overview Resources Schemas

Schemas

WebAuthnRegistrationRequest

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

{
  "username": "string",
  "user_verification": "string",
  "attestation": "string",
  "attachment": "string",
  "algorithms": [
    "string"
  ],
  "discoverable_credential": "string"
}
Name Type Required Description
username string false none
user_verification string false none
attestation string false none
attachment string false none
algorithms [string] false none
discoverable_credential string false none

WebAuthnRegistrationResponse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

{
  "rp": {
    "name": "string",
    "id": "string"
  },
  "user": {
    "name": "string",
    "displayName": "string",
    "id": "string"
  },
  "challenge": "string",
  "pubKeyCredParams": [
    {
      "type": "string",
      "alg": 0
    }
  ],
  "timeout": 0,
  "authenticatorSelection": {
    "requireResidentKey": true,
    "userVerification": "string"
  }
}
Name Type Required Description
rp object false none
» name string false none
» id string false none
user object false none
» name string false none
» displayName string false none
» id string false none
challenge string false none
pubKeyCredParams [object] false none
» type string false none
» alg integer false none
timeout integer false none
authenticatorSelection object false none
» requireResidentKey boolean false none
» userVerification string false none

WebAuthnVerifyRequest

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

{
  "username": "string",
  "response": {
    "id": "string",
    "rawId": "string",
    "response": {
      "attestationObject": "string",
      "clientDataJSON": "string",
      "transports": [
        "string"
      ],
      "publicKeyAlgorithm": 0,
      "publicKey": "string",
      "authenticatorData": "string"
    },
    "type": "string",
    "clientExtensionResults": {},
    "authenticatorAttachment": "string"
  }
}
Name Type Required Description
username string false none
response object false none
» id string false none
» rawId string false none
» response object false none
»» attestationObject string true none
»» clientDataJSON string true none
»» transports [string] true none
»» publicKeyAlgorithm integer true none
»» publicKey string true none
»» authenticatorData string true none
» type string false none
» clientExtensionResults object false none
» authenticatorAttachment string false none

WebAuthnVerifyResponse

1
2
3

{
  "verified": true
}
Name Type Required Description
verified boolean false none

WebAuthnAuthenticationOptionsRequest

1
2
3
4

{
  "username": "string",
  "user_verification": "string"
}
Name Type Required Description
username string false none
user_verification string false none

WebAuthnAuthenticationOptionsResponse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

{
  "challenge": "string",
  "timeout": 0,
  "rpId": "string",
  "allowCredentials": [
    {
      "type": "string",
      "id": "string",
      "transports": [
        "string"
      ]
    }
  ],
  "userVerification": "string"
}
Name Type Required Description
challenge string false none
timeout integer false none
rpId string false none
allowCredentials [object] false none
» type string false none
» id string false none
» transports [string] false none
userVerification string false none

WebAuthnAuthenticationVerificationRequest

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

{
  "username": "string",
  "response": {
    "id": "string",
    "rawId": "string",
    "response": {
      "authenticatorData": "string",
      "clientDataJSON": "string",
      "signature": "string",
      "userHandle": "string"
    },
    "type": "string",
    "clientExtensionResults": {},
    "authenticatorAttachment": "string"
  }
}
Name Type Required Description
username string true none
response object true none
» id string true none
» rawId string true none
» response object true none
»» authenticatorData string true none
»» clientDataJSON string true none
»» signature string true none
»» userHandle string false none
» type string true none
» clientExtensionResults object false none
» authenticatorAttachment string false none

WebAuthnAuthenticationVerificationResponse

1
2
3
4
5
6

{
  "access_token": "string",
  "expires_in": 0,
  "refresh_token": "string",
  "token_type": "string"
}
Name Type Required Description
access_token string true none
expires_in integer true none
refresh_token string true none
token_type string true none

accessTokenResponse

1
2
3
4
5
6
7

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1VTkJaNa0ZGTWtKQlFqVkRPVFV4TlVWQ04wRTRPVEV5UWpGRFJFSTFNMFZEUXpBMU1UVTVNQSJ9.eyJpc3MiOiJodHRwczovL21hc21vdmlsLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJNN3A0YWUyeVdIN1N5bXdiVVlHcTJVdXdlVmp6WE5PR0BjbGllbnRzIiwiYXVkIjoiaHR0cHM6Ly9tYXNtb3ZpbC5ldS5hdXRoMC5jb20vYXBpL3YyLyIsImlhdCI6MTU1MDQyMDM3NywiZXhwIjoxNTUwNTA2Nzc3LCJhenAiOiJNN3A0YWUyeVdIN1N5bXdiVVlHcTJVdXdlVmp6WE5PRyIsInNjb3BlIjoicmVhZDpjbGllbnRfZ3JhbnRzIGNyZWF0ZTpjbGllbnRfZ3JhbnRzIGRlbGV0ZTpjbGllbnRfZ3JhbnRzIHVwZGF0ZTpjbGllbnRfZ3JhbnRzIHJlYWQ6dXNlcnMgdXBkYXRlOnVzZXJzIGRlbGV0ZTp1c2VycyBjcmVhdGU6dXNlcnMgcmVhZDp1c2Vyc19hcHBfbWV0YWRhdGEgdXBkYXRlOnVzZXJzX2FwcF9tZXRhZGF0YSBkZWxldGU6dXNlcnNfYXBwX21ldGFkYXRhIGNyZWF0ZTp1c2Vyc19hcHBfbWV0YWRhdGEgY3JlYXRlOnVzZXJfdGlja2V0cyByZWFkOmNsaWVudHMgdXBkYXRlOmNsaWVudHMgZGVsZXRlOmNsaWVudHMgY3JlYXRlOmNsaWVudHMgcmVhZDpjbGllbnRfa2V5cyB1cGRhdGU6Y2xpZW50X2tleXMgZGVsZXRlOmNsaWVudF9rZXlzIGNyZWF0ZTpjbGllbnRfa2V5cyByZWFkOmNvbm5lY3Rpb25zIHVwZGF0ZTpjb25uZWN0aW9ucyBkZWxldGU6Y29ubmVjdGlvbnMgY3JlYXRlOmNvbm5lY3Rpb25zIHJlYWQ6cmVzb3VyY2Vfc2VydmVycyB1cGRhdGU6cmVzb3VyY2Vfc2VydmVycyBkZWxldGU6cmVzb3VyY2Vfc2VydmVycyBjcmVhdGU6cmVzb3VyY2Vfc2VydmVycyByZWFkOmRldmljZV9jcmVkZW50aWFscyB1cGRhdGU6ZGV2aWNlX2NyZWRlbnRpYWxzIGRlbGV0ZTpkZXZpY2VfY3JlZGVudGlhbHMgY3JlYXRlOmRldmljZV9jcmVkZW50aWFscyByZWFkOnJ1bGVzIHVwZGF0ZTpydWxlcyBkZWxldGU6cnVsZXMgY3JlYXRlOnJ1bGVzIHJlYWQ6cnVsZXNfY29uZmlncyB1cGRhdGU6cnVsZXNfY29uZmlncyBkZWxldGU6cnVsZXNfY29uZmlncyByZWFkOmVtYWlsX3Byb3ZpZGVyIHVwZGF0ZTplbWFpbF9wcm92aWRlciBkZWxldGU6ZW1haWxfcHJvdmlkZXIgY3JlYXRlOmVtYWlsX3Byb3ZpZGVyIGJsYWNrbGlzdDp0b2tlbnMgcmVhZDpzdGF0cyByZWFkOnRlbmFudF9zZXR0aW5ncyB1cGRhdGU6dGVuYW50X3NldHRpbmdzIHJlYWQ6bG9ncyByZWFkOnNoaWVsZHMgY3JlYXRlOnNoaWVsZHMgZGVsZXRlOnNoaWVsZHMgdXBkYXRlOnRyaWdnZXJzIHJlYWQ6dHJpZ2dlcnMgcmVhZDpncmFudHMgZGVsZXRlOmdyYW50cyByZWFkOmd1YXJkaWFuX2ZhY3RvcnMgdXBkYXRlOmd1YXJkaWFuX2ZhY3RvcnMgcmVhZDpndWFyZGlhbl9lbnJvbGxtZW50cyBkZWxldGU6Z3VhcmRpYW5fZW5yb2xsbWVudHMgY3JlYXRlOmd1YXJkaWFuX2Vucm9sbG1lbnRfdGlja2V0cyByZWFkOnVzZXJfaWRwX3Rva2VucyBjcmVhdGU6cGFzc3dvcmRzX2NoZWNraW5nX2pvYiBkZWxldGU6cGFzc3dvcmRzX2NoZWNraW5nX2pvYiByZWFkOmN1c3RvbV9kb21haW5zIGRlbGV0ZTpjdXN0b21fZG9tYWlucyBjcmVhdGU6Y3VzdG9tX2RvbWFpbnMgcmVhZDplbWFpbF90ZW1wbGF0ZXMgY3JlYXRlOmVtYWlsX3RlbXBsYXRlcyB1cGRhdGU6ZW1haWxfdGVtcGxhdGVzIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.h6GTIB8OMcMXDxyUzUW8tJ8LW7U_yIQfCshDuOW9E-_rd9NNRBxzsPhVHllawcB336Xfo3kwrVmS0KdkLGWz4BJo67R_4KXjQ_1VcmHD2WfzpS06fmjdV1DWZbd5dv3LBtPXEIYxWVzFSUcAlIKo5cstYlUWvb1weh56yBu26Y48UK5CIjwLmqAtlxL3kNcMI_PPuM-UmiQPeNe8cKPN4c7Tf_aVw38DcGydY53GIJ_fTeRvB5kb9CO4bs6g4iWOFZFFuLAluRFZsKcqJwNdW1RDYB_blmva5Q8JrBeU5TkbfdrWIL2QfdD93hjLFcWgE9z6txUz5opW2qkcMoQkLA",
  "scope": "read:client_grants create:client_grants delete:client_grants update:client_grants",
  "expires_in": 86400,
  "token_type": "Bearer",
  "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1VTkJNa0ZGTWtKQlFqVkRPVFV4TlVWQ04wRTRPVEV5UWpGRFJFSTFNMFZEUXpBMU1UVTVNQSJ9"
}
Name Type Required Description
access_token string true A token used by the client to make authenticated requests on behalf of the resource owner
scope string false Scopes
expires_in integer false none
token_type string true none
refresh_token string false A token used by the client to obtain a new access token without having to involve the resource owner.

bcAuthorizeResponse

1
2
3
4
5

{
  "auth_req_id": "d221eb9b-9d33-4fe9-ba41-9711ed0309ce",
  "expires_in": 360,
  "interval": 60
}
Name Type Required Description
auth_req_id string true REQUIRED. This is a unique identifier to identify the authentication request made by the Client.
expires_in integer true The duration in seconds for which the authentication request is valid.
interval integer true The minimum amount of time in seconds that the client SHOULD wait between polling to check if the authentication request has been completed.

deviceCodeAuthorizeResponse

1
2
3
4
5
6
7
8
9

{
  "device_code": "817c6cf8-0adc-4e61-bc58-5c6de63af808",
  "user_code": "RKNG-ZGXR",
  "verification_uri": "https://authn.masstack.com/v1/device",
  "verification_uri_complete": "https://authn.masstack.com/v1/device?user_code=RKNG-ZGXR",
  "qr_code": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAEQ0lEQVR4nOyd0aojSwgAk8v8/y/nvvYJOOiqc+pA1dvuTjqzKQSxbfv6fF4C4nq93u/5Zac0R+92rl99/8y7nWtGz+/8bv/NLyodFAJDITAUAkMhMK6ff+xkR5msI5O9TH1XZ/0oi4vWnPu/GCEwFAJDITAUAkMhMK74n6YymShLydSpMn8frVOtR23X307i7zJCYCgEhkJgKASGQmDcZFkbZDKuzDOdmlImK6uuOYcRAkMhMBQCQyEwFALj4Syrkx1lMq5MpsRuDTRCYCgEhkJgKASGQmDcZFkb2UgnO5qqQXVqZRl6v5sRAkMhMBQCQyEwFALjK8vaODd30qlHddaZ6k7fP29ohMBQCAyFwFAIDIXAeO/vn3UykE63fAZGL9aJEQJDITAUAkMhMBQC4/35dGpKEZ0u9Ck6O4aZNXd+HyMEhkJgKASGQmAoBMY111UesVHL6nxvJ7OqPlOfMmGEwFAIDIXAUAgMhcBIzsuqdqFnzhJ25mVNzdqa6hM76a1jhMBQCAyFwFAIDIXAGDxjOJXJTGU7U53qT9bTvGEHh0JgKASGQmAoBMZXX9ZJNcuaOou3cc/gxtnA6pq539MIgaEQGAqBoRAYCoFxc4/hVI/WVLZT3al88pbnzu7qibUsHAqBoRAYCoGhEBg33e8RmZ2+6PkMGzdBb8zO2pliaoTAUAgMhcBQCAyFwLjmajudGk60TuazU3WkzPtsTzc1QnAoBIZCYCgEhkJgJCc5REzNj8qwcU5w47OZdz6x+x2NQmAoBIZCYCgExk0tq9Nh3slqqkzdbxh9ttPlXs88jRAYCoGhEBgKgaEQGMnu92p3+vYNNU+eVayu3zs1YITAUAgMhcBQCAyFwLiZl3WyUWvqrJPJcLZvi96ZFGGEwFAIDIXAUAgMhcC4mZfVoTPVIfP89o0/U31ZmeetZaFRCAyFwFAIDIXAuNkxzLAxHXR75+7Jewwz72P3OxqFwFAIDIXAUAiM5I5hhk5Ws3Fv4NQu3saNPNay/gwKgaEQGAqBoRAYyduiM0zNdd+oNUXPV7Og7XOLRggOhcBQCAyFwFAIjH+oZXV26KLnq98VsbE72bn9p951b4TAUAgMhcBQCAyFwLhy0z4zbPRcVXchCXO9OjPq7cvCoRAYCoGhEBgKgTF4w85Jppb1W/1a0frRZzvr1z9rhMBQCAyFwFAIDIXAaJ4xPHny7sLMZ5/s7+pgLQuNQmAoBIZCYCgERrP7farzvPr8b92Ss1FP+4kRAkMhMBQCQyEwFAJjcJJDlY0Mrdp13+njmtrNPLGWhUMhMBQCQyEwFALj4SxrY/ZUtH6nDjY11aF+9tAIgaEQGAqBoRAYCoFxk2VN9R1t1IJOqmvOTV2ore+8rD+JQmAoBIZCYCgExleWtXHecKr7vdrl3qkpdTr5q+t7xhCNQmAoBIZCYCgExnuqgiMz/B8AAP//+pvzsRrwE2EAAAAASUVORK5CYII=",
  "expires_in": 360,
  "interval": 60
}
Name Type Required Description
device_code string true REQUIRED. The unique code used for device verification.
user_code string true REQUIRED. The human-readable user code to be displayed to the user.
verification_uri string true REQUIRED. The end-user verification URI on the authorization server. The URI should be short and easy to remember as end users will be asked to manually type it into their user agent.
verification_uri_complete string false A verification URI that includes the "user_code" (or other information with the same function as the "user_code"), which is designed for non-textual transmission.
qr_code string true REQUIRED. The base64 encoded QR code image data.
expires_in integer true REQUIRED. The lifetime in seconds of the “device_code” and “user_code”
interval integer false The minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint. If no value is provided, clients MUST use 5 as the default.

tokenClaims

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

{
  "tid": "97c1a3c5-839f-4245-b32c-3292352faf66",
  "cid": "5H3ui5FBKtPQraqPYpXD",
  "scope": "api:everything",
  "strength": "amboto",
  "exp": 3500,
  "aud": "devops.auth.masmovil.com",
  "iat": 3500,
  "iss": 3500,
  "sub": "AE0001",
  "preferred_username": "ae0001",
  "tenants": "v1::1",
  "tenants_translation": [
    {
      "tenant_id": "15",
      "org": "yoigo"
    }
  ],
  "groups": "agent",
  "roles": "XSELLING RETENCION",
  "permissions": "string",
  "family_name": "string",
  "given_name": "string",
  "require_password_change": true
}
Name Type Required Description
tid string true tid
cid string true cid
scope string true Scopes
strength string false describes token level of security
exp integer false none
aud string false none
iat string false issued at
iss integer false http://localhost:6040
sub string false subject
preferred_username string false user_name
tenants string false none
tenants_translation [object] false none
» tenant_id string false Internal id
» org string false public name
groups string false none
roles string false none
permissions string false none
family_name string false none
given_name string false none
require_password_change boolean false none

errorAccessTokenResponse

1
2
3
4
5

{
  "error": "invalid_request",
  "error_description": "string",
  "error_uri": "string"
}
Name Type Required Description
error string true A single error code
error_description string false A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred
error_uri string false none
Property Values
error one of [invalid_request, access_denied, invalid_client, invalid_grant, unauthorized_client, unauthorized_grant_type, invalid_scope, error_description, error_uri]

goError

1
2
3
4
5
6
7

{
  "id": "MM0000001",
  "status": 400,
  "msg": "Invalid inbound entit",
  "componentMsg": "EOF. Inbound application malformed",
  "sentryCode": "fake-req-id"
}
Name Type Required Description
id string true Unique identifier of error
status integer true Status code of the response
msg string false Final user message
componentMsg string false Technical message
sentryCode string false Unique identifier to use in sentry

tokenInfoRequest

1
2
3

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MjM4MzU4OTEsImV4cCI6MTY1NTM3MTg5MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.oSm7gu7N4ypkz0e7W-hyOTozX2AUEZ_YacSoYqMkyLs"
}
Name Type Required Description
access_token string true A valid access token provided by authn

logoutRequest

1
2
3
4

{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MjM4MzU4OTEsImV4cCI6MTY1NTM3MTg5MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.oSm7gu7N4ypkz0e7W-hyOTozX2AUEZ_YacSoYqMkyLs",
  "scope": "all"
}
Name Type Required Description
token string false A valid token (access_token or refresh_token) provided by authn
scope string false If the value is all, it will delete all the user’s sessions and refresh_tokens that it has.

openid-configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

{
  "token_endpoint": "https://authn.k8s.masmovil.com/oauth/token",
  "token_endpoint_auth_methods_supported": [
    [
      "client_secret_post",
      "client_secret_basic"
    ]
  ],
  "jwks_uri": "https://authn.k8s.masmovil.com/.well-known/jwks.json",
  "response_modes_supported": [
    [
      "query",
      "fragment",
      "form_post"
    ]
  ],
  "subject_types_supported": [
    [
      "public"
    ]
  ],
  "id_token_signing_alg_values_supported": [
    [
      "RS256"
    ]
  ],
  "response_types_supported": [
    [
      "code",
      "token"
    ]
  ],
  "scopes_supported": [
    [
      "openid",
      "profile",
      "email",
      "offline_access"
    ]
  ],
  "issuer": "{appName}.auth.masmovil.com",
  "request_uri_parameter_supported": false,
  "userinfo_endpoint": "",
  "authorization_endpoint": "https://authn.k8s.masmovil.com/oauth/authorize",
  "http_logout_supported": false,
  "frontchannel_logout_supported": false,
  "end_session_endpoint": "",
  "claims_supported": [
    [
      "aud",
      "cid",
      "exp",
      "iat",
      "iss",
      "tenant",
      "scope",
      "sub",
      "tid",
      "user_metadata",
      "app_metadata",
      "given_name",
      "family_name",
      "name"
    ]
  ]
}
Name Type Required Description
token_endpoint string false none
token_endpoint_auth_methods_supported [string] false none
jwks_uri string false none
response_modes_supported [string] false none
subject_types_supported [string] false none
id_token_signing_alg_values_supported [string] false none
response_types_supported [string] false none
scopes_supported [string] false none
issuer string false none
request_uri_parameter_supported boolean false none
userinfo_endpoint string false none
authorization_endpoint string false none
http_logout_supported boolean false none
frontchannel_logout_supported boolean false none
end_session_endpoint string false none
claims_supported [string] false none

jwk

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
  "alg": "RS256",
  "kty": "RSA",
  "use": "sig",
  "x5c": [
    "MIIDBTCCAe2gAwIBAgIJMg1BS/K2xovDMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMTFW1hc21vdmlsLmV1LmF1dGgwLmNvbTAeFw0xODA0MjcwNzQ5MjFaFw0zMjAxMDQwNzQ5MjFaMCAxHjAcBgNVBAMTFW1hc21vdmlsLmV1LmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRLXzvNzYGhvXUVefnrw+2+5k/J5PkSiv3dpbQjJB/kM3uPPVa/+qiy9gvcZbSkeN+Z6D3+fTcIW+xdWuiIj8kiBGLpHCjPz5ybaTq87uvx2KfEqx+T/Q7z9..."
  ],
  "n": "tEtfO83NgaG9dRV5-evD7b7mT8nk-RKK_d2ltCMkH-Qze489Vr_6qLL2C9xltKR435noPf59Nwhb7F1a6IiPySIEYuk...",
  "e": "AQAB",
  "kid": "MUNBMkFFMkJBQjVDOTUxNUVCN0E4OTEyQjFDREI1M0VDQzA1MTU5MA",
  "x5t": "MUNBMkFFMkJBQjVDOTUxNUVCN0E4OTEyQjFDREI1M0VDQzA1MTU5MA"
}
Name Type Required Description
alg string false The “alg” (algorithm) member identifies the algorithm intended for use with the key
kty string false The “kty” (key type) member identifies the cryptographic algorithm family used with the key, such as “RSA” or “EC”. “kty” values should either be registered in the IANA JSON Web Key Types registry defined in [JWA] or be a value that contains a Collision-Resistant Name. The “kty” value is a case-sensitive string.
use string false The “use” (public key use) member identifies the intended use of the public key. The “use” parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data.
x5c [string] false The “x5c” (X.509 Certificate Chain) member contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64 encoded ([RFC4648] Section 4 – not base64url encoded) DER [ITU.X690.1994] PKIX certificate value
n string false none
e string false none
kid string false The “kid” (key ID) member is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover
x5t string false The “x5t” (X.509 Certificate SHA-1 Thumbprint) member is a base64url encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280].
Property Values
use one of [sig, enc]

jwks

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

{
  "keys": [
    {
      "alg": "RS256",
      "kty": "RSA",
      "use": "sig",
      "x5c": [
        "MIIDBTCCAe2gAwIBAgIJMg1BS/K2xovDMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMTFW1hc21vdmlsLmV1LmF1dGgwLmNvbTAeFw0xODA0MjcwNzQ5MjFaFw0zMjAxMDQwNzQ5MjFaMCAxHjAcBgNVBAMTFW1hc21vdmlsLmV1LmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRLXzvNzYGhvXUVefnrw+2+5k/J5PkSiv3dpbQjJB/kM3uPPVa/+qiy9gvcZbSkeN+Z6D3+fTcIW+xdWuiIj8kiBGLpHCjPz5ybaTq87uvx2KfEqx+T/Q7z9..."
      ],
      "n": "tEtfO83NgaG9dRV5-evD7b7mT8nk-RKK_d2ltCMkH-Qze489Vr_6qLL2C9xltKR435noPf59Nwhb7F1a6IiPySIEYuk...",
      "e": "AQAB",
      "kid": "MUNBMkFFMkJBQjVDOTUxNUVCN0E4OTEyQjFDREI1M0VDQzA1MTU5MA",
      "x5t": "MUNBMkFFMkJBQjVDOTUxNUVCN0E4OTEyQjFDREI1M0VDQzA1MTU5MA"
    }
  ]
}
Name Type Required Description
keys [jwk] true The JSON object MUST have a “keys” member, which is an array of JWKs.
Schemas