RS256 JWT Authentication
This demo showcases JWT authentication using RSA-2048 keys with RS256 algorithm,
based on the AgentCube pkg/router/jwt.go implementation.
1. Generate RSA Key Pair
Generate a new RSA-2048 key pair for signing JWT tokens. The private key is used for signing, and the public key is used for verification.
Generate key pair first
Generate key pair first
⚠️ Private key is never exposed in production
2. Generate JWT Token
Create a JWT token with custom claims. The token will be signed with the private key and include standard claims (iss, iat, exp).
Token Structure
JWT tokens consist of three parts separated by dots: Header.Payload.Signature
{"alg":"RS256","typ":"JWT"}
Generate a token to see payload
The signature is created by signing the base64Url-encoded header and payload with the RSA private key using RS256 algorithm.
3. Validate JWT Token
Validate a JWT token by checking its signature, expiration, and algorithm. This demonstrates the verification process used by the AgentCube Router.
Security Features
Algorithm Confusion Prevention
Explicitly verify the algorithm in the token header to prevent attackers from switching to a weaker algorithm (e.g., "none").
Short-Lived Tokens
Tokens expire after 15 minutes (5 minutes in production AgentCube). Use refresh tokens for long-lived sessions.
RSA-2048 Security
RSA-2048 provides strong cryptographic security. The private key is never exposed, and only the public key is shared for verification.
Token Claims
Standard claims (iss, iat, exp) plus custom claims (userId, namespace, roles) provide identity and authorization information.
AgentCube Implementation Reference
This demo is based on the AgentCube Router JWT implementation:
- RSA-2048 key generation (rsaKeySize = 2048)
- RS256 signing algorithm (jwt.SigningMethodRS256)
- 5-minute token expiration (jwtExpiration = 5 * time.Minute)
- Key storage in Kubernetes Secrets
- Standard claims: exp, iat, iss