JWT secret setting¶
AyaNova uses JSON Web Tokens (JWT) for authentication.
These time limited tokens are signed by the server using a JWT secret key and issued to users when they log in to the AyaNova server.
Every time the user makes a request to the server the JWT is sent along as well and verified to be valid.
Tokens have a built in expiry mechanism of 5 days from issue.
All active tokens previously issued can be invalidated by changing this JWT Secret setting and restarting the server (or restarting the server and allowing it to choose a new secret value randomly if none is specified).
(Individual Users can be prevented from logging in or accessing the server by setting them inactive which takes effect immediately regardless of how many days are left on their current access token.)
If no secret key is specified the server will generate a new, random one each time it starts and this means that remote users who previously authenticated will need to login freshly if the server is restarted.
If you would like to ensure that a server reboot does not affect remote users credentials then you can specify a value for the secret key so that the same key will always be used by the server even if it reboots.
AyaNova expects the JWT secret to be provided by a config.json property, environment variable or command line parameter named
The value specified should be a string of up to 32 characters, for example:
If fewer than 32 characters are provided they secret will be padded out to 32 characters. If more than 32 characters are specified it will only use the first 32.
You should use the same precautions as for choosing any other password and ensure the secret is not well known or easily looked up in a dictionary. 32 random characters would be sufficient.
Example config.json entry
Example command line parameter
Example environment variable