RS256 infrastructure

Public/private key management

The Finqware v1s endpoint uses an asymmetric (RS256) scheme for signing requests:

  • the public/private key issuing is based on Google Cloud's IAM (Identity and Access Management) infrastructure.

  • each company registered with Finqware will have a service account (managed by Finqware or self-managed, please see below)

  • each GCP service account may have up to 10 public/private key pairs that may be created/destroyed when a private key is compromised or for key rotation.

  • the public key is automatically published at a Google hosted JWKS endpoint

  • an application will issue & sign a JWT token and send it as an Authorization header; the Finqware's API gateway verifies the signature (among other claims - iss, aud & exp) using the JWKS endpoint.

Private keys may be either managed by Finqware (a) or self-managed (b):

  • a. created & managed by Finqware, distributed using a secure method (eg: GPG encryption)

  • b. created by the application developer using their own Google Cloud project (free of charge); the developer will need to share the coordinates for the public key only (the generated service account's email & the JWKS url).

Self-managed keys

Self-managing your own key pairs requires an account with Google Cloud Platform. Creating an account and a GCP project is free of charge.

How to create a public/private key pair

  1. Create a service account under the IAM & Admin, service accounts section. The service account requires the Service Account Token Creator role.

  2. Create a key pair under the new service account. Once created, the private key file is automatically downloaded to your drive.

Once you download the private key file (json) from GCP, open it and extract the public key's coordinates:

  • client_email

  • client_x509_cert_url

Send this information to Finqware if you self-manage your keys. This is public information, no need to encrypt the communication. Make sure you do not share the full json file or the data under the private_key field.

Key rotation & revoking

Key rotation:

  • Create a new public/private key pair, share the public key with Finqware.

  • Finqware will register the new public key with the API Gateway.

  • Start using the new private key & disable/delete the previous key

Revoking keys may be done from the GCP GUI by doing either or both of:

  • disable or delete the key

  • disable the service account

Last updated