Skip to main content

Signing Payload

Using JWT to sign payload (if applicable)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

The bolttech API verifies payload using RSA keys pair. In order to do that, the consumer needs to sign the encrypted payload with a private key and share a public key for the signature validation from the bolttech API's side.

Sample with Node.js

Generating Key Pair

The bolttech API consumer will need a key pair to sign the payload. This key pair only needs to be generated once. The private key should be kept in secure and offline storage and the public key needs to be shared with bolttech API team. An example on how to generate a key pair for the payload signing follows:

const NodeRSA = require("node-rsa");

const rsa = new NodeRSA();
const keys = rsa.generateKeyPair();

// Use private key that pairs with the public key that will be shared with the bolttech API team
// Private keys shouldn't be shared, it needs be kept in secure and offline storage
const privateKey = keys.exportKey();

// Get public key to share with the bolttech API team
const publicKey = keys.exportKey("pkcs8-public-pem");

/** SHARE THIS KEY WITH BOLTTECH API TEAM **/
console.log(publicKey);

Signing Encrypted Payload

Now with the keys, the same should be signed with the private key generated once from the previous example before making a request to the bolttech API:

/**
 * Install the JWT with the command
 * npm i jsonwebtoken
 * OR
 * yarn add jsonwebtoken
 */
const jwt = require("jsonwebtoken");
const NodeRSA = require("node-rsa");

// Use the encrypted data from the [Encrypting Payload] example
const encryptedData =
  "3rHECZcvGTRUxp8ijwCXfsBghWyXijeUeaKM7Hxgzcho0m/7C/T1QrdPxp9wtbeqP7QNGxyqBT5J6c7lo+IEvrMtp6Dd3r0BgY36dUAJomaOuE4Pp4Hsu/w0ufCwrjrBKnTZi1q8xPJM6Bd1SEPi2NnoB7...";

const rsa = new NodeRSA();

// Use private key from the [Generating Key Pair] example that will be generated once and safely stored locally
const signedData = jwt.sign(encryptedData, privateKey, { algorithm: "RS256" });

/** Now you have the data encrypted and signed for communicating with the bolttech API **/
console.log(signedData);