Skip to content

Token signing and encryption

The Eligiblity Verification API makes use of Signed and Encrypted JSON Web Tokens (JWS, JWE, JWT) as a means of data transfer.

A public/private keypair must be generated by each party (Client and Server). Example keys for the Client and Server are included for the test verification server and sample agencies.

Generating new keypairs

Using a terminal like bash, and the openssl program:

openssl genrsa -out [file name].key 2048

Extract the public key

openssl rsa -in [private key created above].key -pubout > [file name].pub

There are two new files:

  • [file name].key: private key in PEM format, needed by the Client only
  • [file name].pub: public key in PEM format, give to the Eligibility Verification server

The Client also requires a public key from the Eligibility Verification server, so this process must be repeated to generate the Server’s keypair.

The Server’s private key should not be shared.

Format for config file

To get a single-line version of a PEM key, suitable for a JSON configuration file:

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <your PEM file here>