1. Access token must be a JWT (https://jwt.io), RFC-7519 standard.
  2. Using RS256 – RSA PKCS#1 signature with SHA-256 as the hashing algorithm.
  3. Longer RSA keys offer stronger protection against cracking. RSA recommends a key size of at least 2048 bits.
  4. Detailed meta in JWT
    • algo
      • RS256
    • iss
      • urn:your_company_name
    • aud
      • urn:fstk:engine
    • sub
      • urn:fstk:engine:s2s_token
    • kid
      • Public key id provided by FsTK, after public key is registered in FsTK
    • exp
      • Must not exceed 1 minute (re-generate token every api request for safety)
  5. Please provide the RSA public key in advance, for FsTK to verify the JWT if it’s signed by the autority of your company.
  6. Please call to FsTK API with the access token follows the rules above.

How to generate RSA 2048 bits key pair

# rsa 2048 bits
openssl genrsa -des3 -out ${name}_rsa2048_private.pem 2048
openssl rsa -in ${name}_rsa2048_private.pem -outform PEM -pubout -out ${name}_rsa2048_public.pem


const fs = require('fs');
const jwt = require('jsonwebtoken');

const privateKey = fs.readFileSync(

const server_to_server_access_token = jwt.sign({}, privateKey, {
  algorithm: 'RS256',
  keyid: '52344262-36b4-47d5-b654-d893ee6a2ed1',
  expiresIn: '1m',
  issuer: 'urn:your_company_name',
  audience: 'urn:fstk:engine',
  subject: 'urn:fstk:engine:s2s_token',