To allow more UX-friendly keys rotation, having a set of keys for signing JWTs is needed. Once a set of keys is used, the "oldest" one can stop signing keys for time equal to expiration of JWT set in config. After that time, it can be replaced with new one.
A set of keys is also useful if we for some reason will have to revoke some JWTs, as we would only have to revoke one key from a set, leaving more users unaffected.
Feature
Have a set of keys for signing JWTs, each key having its own unique ID, and add this ID to header of JWT.
Background
To allow more UX-friendly keys rotation, having a set of keys for signing JWTs is needed. Once a set of keys is used, the "oldest" one can stop signing keys for time equal to
expirationof JWT set in config. After that time, it can be replaced with new one.A set of keys is also useful if we for some reason will have to revoke some JWTs, as we would only have to revoke one key from a set, leaving more users unaffected.
Feature
Have a set of keys for signing JWTs, each key having its own unique ID, and add this ID to header of JWT.