Skip to main content
AspFox uses RS256 (RSA + SHA-256) for JWT signing. This requires a key pair: a private key to sign tokens and a public key to verify them. Both keys must be base64-encoded before adding to .env.

Generate the keys

Add to .env

Copy each base64 string — the entire output, as one continuous string with no line breaks — into your .env:
Never commit key files to your git repository. The scaffolded .gitignore already includes these patterns:
Verify they are present in your .gitignore before making any commits.

Why RS256 instead of HS256

HS256 uses a single shared secret for both signing and verification. Any service that needs to verify tokens must possess the secret — which means the secret has to be distributed to every service. RS256 uses asymmetric keys. Only the API server possesses the private key. Any service that needs to verify tokens gets only the public key. The public key cannot forge tokens; it can only verify them. This matters when you add services that verify AspFox tokens — an edge function, a serverless worker, a third-party integration. They get the public key and can verify tokens independently without any shared secret.

Generate new keys for each environment

Using the same keys across environments means that development JWTs are valid in production (and vice versa). This is a security vulnerability. Keep keys separate.