1. Access token must be a JWT (https://jwt.io), RFC-7519 standard.
  2. Using RS256 – RSA PKCS#1 signature with SHA-256 as the hashing algorithm.
  3. Longer RSA keys offer stronger protection against cracking. RSA recommends a key size of at least 2048 bits.
  4. Detailed meta in JWT
    • algo
      • RS256
    • iss
      • urn:your_company_name
    • aud
      • urn:fstk:engine
    • sub
      • urn:fstk:engine:s2s_token
    • kid
      • Public key id provided by FsTK, after public key is registered in FsTK
    • exp
      • Must not exceed 1 minute (re-generate token every api request for safety)
  5. Please provide the RSA public key in advance, for FsTK to verify the JWT if it’s signed by the autority of your company.
  6. Please call to FsTK API with the access token follows the rules above.

How to generate RSA 2048 bits key pair