{"id":"security-jwt-federated-verification","slug":"security-jwt-federated-verification","title":"Federated JWT Security and JWKS Verification","description":"Allied nations running joint operations should not need to share secret keys to verify each other's authentication tokens. Neither should the dozens of internal services in a zero-trust microservice architecture. The mom","category":"management","tags":["management","real-time","compliance","blockchain"],"lastModified":"2026-03-02","source_ref":"content/modules/security-jwt-federated-verification.md","url":"/developers/security-jwt-federated-verification","htmlPath":"/developers/security-jwt-federated-verification","jsonPath":"/api/docs/modules/security-jwt-federated-verification","markdownPath":"/api/docs/modules/security-jwt-federated-verification?format=markdown","checksum":"8148ba1bbb611151868910a41bb74a5106dce63bf14c99614cbab2cb2782372e","headings":[{"id":"overview","text":"Overview","level":2},{"id":"key-features","text":"Key Features","level":2},{"id":"use-cases","text":"Use Cases","level":2},{"id":"integration","text":"Integration","level":2},{"id":"availability","text":"Availability","level":2}],"markdown":"# Federated JWT Security and JWKS Verification\n\n## Overview\n\nAllied nations running joint operations should not need to share secret keys to verify each other's authentication tokens. Neither should the dozens of internal services in a zero-trust microservice architecture. The moment you share a symmetric secret for token verification, every system that holds that secret becomes a potential point of compromise.\n\nArgus enforces RS256 asymmetric cryptographic signing for all platform authentication tokens, with public key distribution through a standards-compliant JWKS (JSON Web Key Set) endpoint. Any participating system can validate tokens using publicly available key material, with no bilateral key exchange required. The module permanently disables symmetric HS256 signing, closing the downgrade attack surface entirely. JWT-based authentication supports auto-refresh with rotating refresh tokens, ensuring active sessions stay alive without forcing re-authentication while keeping each token's validity window short.\n\n```mermaid\nsequenceDiagram\n participant U as User / Service\n participant AS as Auth Service (Issuer)\n participant JWKS as /.well-known/jwks.json\n participant SVC as Verifying Service\n participant RL as Revocation Check\n\n U->>AS: Authenticate (credentials + MFA)\n AS->>AS: Sign JWT with RSA-SHA256 private key (kid)\n AS-->>U: Access Token + Refresh Token\n U->>SVC: Request + Bearer Token\n SVC->>JWKS: Fetch public key for kid\n JWKS-->>SVC: RSA public key\n SVC->>RL: Check token revocation (fail-closed)\n RL-->>SVC: Valid\n SVC-->>U: Authorised Response\n Note over AS,JWKS: Key rotation publishes new kid
grace period accepts old kid\n```\n\n## Key Features\n\n- **RS256-Only Token Signing**: All JWT tokens are signed exclusively with RSA-SHA256 using 2048-bit or larger keys. HS256 and other symmetric algorithms are permanently disabled to prevent downgrade attacks.\n- **JWKS Public Endpoint**: A standards-compliant `/.well-known/jwks.json` endpoint publishes current and rotated public keys, enabling any federated participant to verify tokens without prior key exchange.\n- **Key Rotation with Auto-Refresh**: Automated key rotation with configurable rotation periods, grace periods for in-flight tokens signed with previous keys, and key identifier (kid) tracking for seamless transitions. JWT access tokens are automatically refreshed before expiry using rotating refresh tokens.\n- **Fail-Closed Token Revocation**: Token revocation checks default to denying access when the revocation service is unavailable, preventing authentication bypass during system disruptions.\n- **Multi-Tenant Key Isolation**: Each tenant operates with independent signing keys, preventing token forgery across tenant boundaries even if a single tenant's infrastructure is compromised.\n- **EU Regulations Compliance**: Token architecture meets EU Regulations requirements for federated authentication across multi-national deployments, supporting independent verification by all participating nations.\n- **Token Introspection**: A standards-compliant token introspection endpoint serves systems that require real-time token validity checking beyond signature verification.\n- **Audit Trail**: All token issuance, verification, revocation, and key rotation events are logged with full context for security audit and incident investigation.\n\n## Use Cases\n\n- **Multi-National Operations**: Allied nations deploy independent Argus instances that accept each other's authentication tokens through JWKS-based verification, enabling single sign-on across national boundaries without shared secrets.\n- **Microservice Architecture**: Internal platform services verify authentication tokens using the JWKS endpoint without requiring access to signing keys, enabling zero-trust service-to-service authentication.\n- **Third-Party Integration**: External systems validate Argus-issued tokens to authorise API access, using the public JWKS endpoint for key material without requiring bilateral credential sharing.\n- **Compliance Auditing**: Security auditors verify that all authentication tokens use approved cryptographic algorithms and key strengths by inspecting the JWKS endpoint and token headers.\n\n## Integration\n\nThe module is embedded in the authentication service and consumed by all platform components for token verification. It connects to the secrets management system for private key storage, the audit logging platform for authentication event recording, and the compliance dashboard for cryptographic compliance monitoring. The JWKS endpoint is publicly accessible for federated verification by external systems.\n\n## Availability\n\n- Enterprise Plan: Full federated JWT security included\n- Professional Plan: RS256 token signing included; federated JWKS and multi-tenant key isolation available as add-on\n\n**Last Reviewed:** 2026-03-02\n**Last Updated:** 2026-04-14\n"}