Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.aspfox.com/llms.txt

Use this file to discover all available pages before exploring further.

AspFox uses RS256 (RSA + SHA-256) for JWT signing. This requires a key pair: a private key to sign tokens and a public key to verify them. Both keys must be base64-encoded before adding to .env.

Generate the keys

# Generate 4096-bit RSA key pair in PEM format
ssh-keygen -t rsa -b 4096 -m PEM -f jwt.key -N '""'

# Print the base64-encoded private key
[Convert]::ToBase64String([IO.File]::ReadAllBytes("jwt.key"))

# Print the base64-encoded public key
[Convert]::ToBase64String([IO.File]::ReadAllBytes("jwt.key.pub"))

Add to .env

Copy each base64 string — the entire output, as one continuous string with no line breaks — into your .env: 
JWT_PRIVATE_KEY=LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS…(long string)
JWT_PUBLIC_KEY=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5C…(long string)
Never commit key files to your git repository. The scaffolded .gitignore already includes these patterns:
*.key
*.pem
*.der
jwt-keys.txt
Verify they are present in your .gitignore before making any commits.

Why RS256 instead of HS256

HS256 uses a single shared secret for both signing and verification. Any service that needs to verify tokens must possess the secret — which means the secret has to be distributed to every service. RS256 uses asymmetric keys. Only the API server possesses the private key. Any service that needs to verify tokens gets only the public key. The public key cannot forge tokens; it can only verify them. This matters when you add services that verify AspFox tokens — an edge function, a serverless worker, a third-party integration. They get the public key and can verify tokens independently without any shared secret.

Generate new keys for each environment

Local development  →  one key pair
Staging            →  different key pair
Production         →  different key pair
Using the same keys across environments means that development JWTs are valid in production (and vice versa). This is a security vulnerability. Keep keys separate.