Story: JWT RS256 in ores.security
Table of Contents
This page documents a story in Sprint 14. It captures the goal, current status, acceptance criteria, and the tasks that compose it.
Goal
Move JWT infrastructure into ores.security and switch to RS256
asymmetric signing so services can validate tokens with just a
public key — prerequisite for distributed service authentication.
Status
| Field | Value |
|---|---|
| State | DONE |
| Parent sprint | Sprint 14 |
| Now | Completed 2026-03-04. |
| Waiting on | None. |
| Next | None. |
| Last touched | 2026-03-04 |
Continued in: JWT refresh (sprint 15) — closes the loop with token refresh, configurable lifetimes, and TimescaleDB-backed auth telemetry.
Acceptance
- JWT lives in ores.security (shared across services).
- RS256: IAM private key mints; services verify with public key.
- jwt_claims carries tenant_id + party_id.
- Login response returns the JWT.
- Protocol 49.0 (breaking).
Tasks
| Task | State | Start | End | Description |
|---|---|---|---|---|
| Migrate JWT to ores.security with RS256 | DONE | 2026-05-20 | 2026-03-04 | Move JWT infrastructure from ores.http to ores.security; RS256 asymmetric signing (IAM mints with private key; services verify with public key); jwt_claims extended with tenant_id + party_id; ores.iam.service mints + returns JWT in login_response; protocol 49.0 (breaking). |
Decisions
- RS256 over HS256
- services can verify without sharing the signing secret; necessary for the broker / NATS architecture.
- tenant_id + party_id in claims
- lets downstream services enforce isolation without a separate session lookup.
Out of scope
- Key rotation tooling — separate workstream.
See also
- NNG message broker attempt — the JWT work was the security half of this attempt; it survives.