AireGlu

Appearance

JWT Task

The JWT task allows you to generate a JWT with customisable headers & payload, with a choice of encryption and/or signing algorithms.

The following headers are automatically added:

{
  "typ": "JWT",
  "alg": "<your selected algorithm>"
}

RS256/RS512 (Signed Tokens)

What it does:

  • Signs the token using asymmetric cryptography (RSA)
  • Ensures authenticity and integrity (proves who created it and that it hasn't been tampered with)
  • Token content is readable by anyone (just Base64 encoded)

How it works:

  • Uses RSA private key to sign
  • Uses RSA public key to verify
  • RS256 uses SHA-256 hash, RS512 uses SHA-512 hash

Security:

  • ✅ Tamper-proof - can detect if token was modified
  • ✅ Verified source - proves who signed it
  • ✅ Easy to rotate signing keys
  • ❌ Not confidential - anyone can read the payload

HS256 (Signed Token)

Also known as HMAC using SHA-256

What it does:

  • Signs the token using symmetric cryptography
  • Ensures authenticity and integrity (proves who created it and that it hasn't been tampered with)
  • Token content is readable by anyone (just Base64 encoded)

How it works:

  • Uses a shared secret key to sign and verify

Security:

  • ✅ Tamper-proof - can detect if token was modified
  • ✅ Verified source - proves who signed it
  • ❌ Less easy to change your secret key (when compared to asymmetric algorithms)
  • ❌ Not confidential - anyone can read the payload

AES128-HS256 (Signed & Encrypted Tokens)

What it does:

  • Encrypts the entire token content (confidentiality)
  • Signs the encrypted token (authenticity & integrity)
  • Token content is hidden from everyone except authorised parties

How it works:

  • Uses AES-128 to encrypt the payload
  • Uses HMAC-SHA256 to sign the encrypted result
  • Requires shared secret keys for both operations

Security:

  • ✅ Tamper-proof - can detect modifications
  • ✅ Confidential - payload is encrypted and unreadable
  • ✅ Authenticated - proves origin and integrity
  • ⚠️ Uses symmetric keys (same key for encrypt/decrypt)

Unsigned Tokens (none)

What it does:

  • Creates a token with no cryptographic protection
  • Payload is readable and can be modified by anyone

Security:

  • ❌ No tamper protection
  • ❌ No source verification
  • ❌ Not confidential
  • ⚠️ Only use for testing/development

When to Use Which Algorithm

RS256/RS512/HS256: When you need to verify tokens but payload isn't sensitive (user IDs, permissions). RS256 is recommended over HS256.

AES128-HS256: When the token contains sensitive data that shouldn't be readable

None: Development/testing only - never in production

Adding the Signing Secret

For RS256/RS512 (RSA algorithms)

  • Format: Base64-encoded RSA private key WITHOUT headers
  • The system automatically adds PEM headers
-----BEGIN PRIVATE KEY----- 
  [your base64 content here]
-----END PRIVATE KEY-----
  • Add the base64 content to an AireGlu secret
  • In the signing secret field from the drop down select the secret

For HS256

  • Format: Base64-encoded secret key, minimum 32 characters (if receiving from a third party, check if it's already encoded)
  • Add the base64 content to an AireGlu secret
  • In the signing secret field from the drop down select the secret

For AES128HS256

  • Signing Secret: Plain text string (recommended: 32+ characters for security)
  • Encryption Secret: Plain text string (recommended: 16+ characters for AES-128)
  • Both strings are converted to bytes using ASCII encoding
  • Add the signing secret and encryption secret to an AireGlu secret
  • In the signing secret and encryption secret fields, select the respective secrets from the dropdown