Class IdentityProvider

JWT IdentityProvider — manages ES256 signing key pairs.

Example

const provider = new IdentityProvider();
await provider.initialize();
const { privateKey } = provider.activeKeyPair ?? {};

Example

With persistence
import { JsonFileKeyPersistenceAdapter } from './JsonFileKeyPersistenceAdapter.js';
const adapter = new JsonFileKeyPersistenceAdapter({ filePath: '/data/jwt-keys.json' });
const provider = new IdentityProvider({ keyPersistenceAdapter: adapter });
await provider.initialize();

Index

Constructors

constructor

new IdentityProvider(options?: IdentityProviderOptions): IdentityProvider
Parameters
- options: IdentityProviderOptions = {}
Returns IdentityProvider
- Defined in packages/core/src/security/identity/IdentityProvider.ts:63

Accessors

activeKeyPair

get activeKeyPair(): JwtKeyPair | null
The currently active signing key pair, or null before initialisation.

Returns JwtKeyPair | null
- Defined in packages/core/src/security/identity/IdentityProvider.ts:70

previousKeyPair

get previousKeyPair(): JwtKeyPair | null
The previous key pair (grace period after rotation), or null.

Returns JwtKeyPair | null
- Defined in packages/core/src/security/identity/IdentityProvider.ts:75

Methods

getJwks

getJwks(): { keys: JWK[] }
Returns the JWKS object containing all current public keys. Includes both the active key and the previous key (during grace period).

Returns { keys: JWK[] }
- Defined in packages/core/src/security/identity/IdentityProvider.ts:110

initialize

initialize(): Promise<void>
Initialise the provider.

If a KeyPersistenceAdapter was provided and a persisted key set exists, those keys are loaded. Otherwise, a fresh key pair is generated and (if an adapter is configured) saved immediately.

Returns Promise<void>
- Defined in packages/core/src/security/identity/IdentityProvider.ts:86

rotate

rotate(): Promise<void>
Rotate the signing key.

The current active key becomes the previous key (grace period). A new key pair is generated and becomes the active key. If a KeyPersistenceAdapter is configured, the new key set is saved.

Returns Promise<void>
- Defined in packages/core/src/security/identity/IdentityProvider.ts:151

startRotation

startRotation(callback: (pair: JwtKeyPair) => void): void
Start automatic key rotation.
Parameters
- callback: (pair: JwtKeyPair) => void
  invoked after each rotation with the new active key pair.
Returns void
- Defined in packages/core/src/security/identity/IdentityProvider.ts:121

stopRotation

stopRotation(): void
Stop automatic key rotation.

Returns void
- Defined in packages/core/src/security/identity/IdentityProvider.ts:136

Class IdentityProvider

Example

Example

Index

Constructors

Accessors

Methods

Constructors

constructor

Parameters

Returns IdentityProvider

Accessors

activeKeyPair

Returns JwtKeyPair | null

previousKeyPair

Returns JwtKeyPair | null

Methods

getJwks

Returns { keys: JWK[] }

initialize

Returns Promise<void>

rotate

Returns Promise<void>

startRotation

Parameters

Returns void

stopRotation

Returns void

Settings

On This Page