Publish Pub Key Set | DSX Exchange

Publish one JWK for the given tenant and kid. Publishers (e.g. SPIRE) use this to advertise a public key for verification or encryption.

Direction: Publish (send)

Channel

spiffe-exchange/v1/pub-keysets/tenant/{tenant_domain}/kid/{kid}

Parameters

Parameter	Description
`tenant_domain`	Tenant domain identifier (e.g. tenant namespace or domain name).
`kid`	Key ID (kid) for this key; aligns with JWS/JWE header kid.

Message: JWK (RFC 7517)

Content Type: application/json

Payload

Name	Type	Required	Description
`kty`	string	Yes	Key type (e.g. RSA, EC, OKP). Values: `RSA`, `EC`, `OKP`
`use`	string	No	Public key use (sig, enc, or omitted). Values: `sig`, `enc`
`key_ops`	array<string>	No	Key operations (e.g. verify, encrypt).
`alg`	string	No	Algorithm (e.g. ES256, RS256, EdDSA).
`kid`	string	No	Key ID; should match the topic kid when present.
`n`	string	No	RSA modulus (Base64url).
`e`	string	No	RSA public exponent (Base64url).
`crv`	string	No	Elliptic curve (e.g. P-256, P-384).
`x`	string	No	EC x coordinate (Base64url).
`y`	string	No	EC y coordinate (Base64url).

Example payload

1 {
2   "kty": "RSA",
3   "use": "sig",
4   "key_ops": [
5     "string"
6   ],
7   "alg": "string",
8   "kid": "string",
9   "n": "string",
10   "e": "string",
11   "crv": "string",
12   "x": "string",
13   "y": "string"
14 }