1. Intelligent Advisor REST APIREST API for Intelligent Advisor 24B
  2. Use Cases
  3. Using the JWK Sets REST API

Using the JWK Sets REST API

Example GET a JWK set

This operation will discover what the active key's ID ("kid") is.

The GET request URL looks like:

/opa-hub/api/12.2.27/jwksets/wd_access_token

An example response to this request would be:

{
    "purpose": "wd_access_token",
    "allowedKeyUse": "enc",
    "activeKeyID": "e663e54e-4bcb-422d-9082-163355d70777",
    "keys": {
        "links": [ ... ]
    },
    "links": [ ... ]
}

Example GET a JWK set key

This operation will retrieve the active key using it's kid.

The GET request URL looks like:

/opa-hub/api/12.2.27/jwksets/wd_access_token/keys/e663e54e-4bcb-422d-9082-163355d70777

An example response to this request would be:

{
    "kid": "e663e54e-4bcb-422d-9082-163355d70777",
    "kty": "EC",
    "use": "enc",
    "crv": "P-256",
    "x": "ny6tBcdL0F7uB7_VhsXkiqCMvlZsB0LspbztM3WOKaU",
    "y": "RcYpety4hVAR2mhyUSfU2J9-zzz6nsEfK-ro9b1oMws",
    "links": [ ... ]
}

Example GET a JWK set and the keys

This operation will retrieve both the set (which describes what the active kid is) and expand the keys.

The GET request URL looks like:

/opa-hub/api/12.2.27/jwksets/wd_access_token?expand=keys

Note that, depending on how many old keys there are, the response may be large.

An example response to this request would be:

{
    "purpose": "wd_access_token",
    "allowedKeyUse": "enc",
    "activeKeyID": "e663e54e-4bcb-422d-9082-163355d70777",
    "keys": {
        "items": [
            {
                "kid": "e663e54e-4bcb-422d-9082-163355d70777",
                "kty": "EC",
                "use": "enc",
                "crv": "P-256",
                "x": "ny6tBcdL0F7uB7_VhsXkiqCMvlZsB0LspbztM3WOKaU",
                "y": "RcYpety4hVAR2mhyUSfU2J9-zzz6nsEfK-ro9b1oMws",
                "links": [ ... ]
            },
            ... ! POSSIBLY MANY MORE KEY ENTRIES !
        ],
        "links": [ ... ]
    },
    "links": [ ... ]
}

Example POST a JWK set generate active key

This operation will generate a new active key.

The POST request URL looks like:

/opa-hub/api/12.2.27/jwksets/wd_access_token/generate-active-key

Note that this will disable the currently active key if there was one.

The basic structure expected for the POST request for this resource is as follows:

{}

An example response to this request would be:

{
    "kid": "ae21e7ee-747e-4200-be67-82ee99dbe7aa",
    "links": [ ... ]
}

Example PATCH a JWK set

This operation will switch back to a previously used key (assuming that it hasn't been deleted since it was de-activated).

The PATCH request URL looks like:

/opa-hub/api/12.2.27/jwksets/wd_access_token

The structure expected for this PATCH request is as follows:

{
    "activeKeyID": "[the old key's kid value]"
}

Example PATCH active JWK set key

This operation will disable the active key, leaving the set for embedding interviews effectively disabled (that is, out of concern for a security breach).

The PATCH request URL looks like:

/opa-hub/api/12.2.27/jwksets/wd_access_token

The structure expected for this PATCH request is as follows:

{
    "activeKeyID": null
}