If you are verifying Zaikio signed JSON Web Tokens (JWTs) as described in our JWT Validation guide, please read this announcement. If you are not offering an API that accepts Zaikio's JWTs (e.g. you are consuming the Procurement API), you do not need to take any action.

In order to improve regular security measures we will start rotating keys that are used to sign Zaikio's JWTs.

We will do future rotations unannounced and randomly, so please make sure you are following our instructions.

What do I need to do?

1. Make sure you are not hardcoding Zaikio's public keys from /api/v1/jwt_public_keys. Instead read those keys directly from our API or cache them for an hour maximum.
2. Make sure that your JWT library accepts multiple keys and that you try all published keys. Have a look in our JWT Validation guide for some implementation examples. We will always have some older keys, that have still JWTs that are signed with those (e.g. a personal access token is valid for 1 year), which is why you always have to support all keys, that you can find in /api/v1/jwt_public_keys. Our new public key is already available but not used yet to sign JWTs.

What's next?

• On Monday May 9th, 2022 around 10:00 AM CEST we will sign new JWTs with our new JWK on sandbox.
• On Wednesday May 11th, 2022 around 10:00 AM CEST we will sign new JWTs with our new JWK on production.