Skip to main content
JWT authentication lets your backend mint short-lived tokens instead of using a long-lived API key. Before you can issue JWTs, you register a public signing key with Rhinestone from the Dashboard under API keys → JWT keys.
This page covers registering and managing keys in the dashboard. For how the SDK signs and uses JWTs — including per-request sponsorship policies — see JWT authentication.

Registering a key

Press “Register key”. You can either generate a keypair in your browser or upload a public key you already have.
The dashboard generates a keypair in your browser. Only the public key is sent to Rhinestone — the private key never leaves your machine.
1

Fill in the form

  • Integrator ID — your organisation’s identifier, emitted as the iss claim in the JWTs you sign. Typically your service’s name.
  • Key ID — identifier for this specific key, emitted as the kid header. Use a stable name you can rotate later (e.g. prod-2026-06).
Press “Create Key”.
2

Download the private key

Download the private key file and store it securely on your backend.
Once registered, the key shows as active in the list, with its Key ID and Integrator ID.

Rotating keys

Register a new key with a new Key ID and start signing tokens with it. Tokens signed under the old kid keep verifying until they expire, so there’s no coordinated client deploy and no revocation race. Disable the old key once nothing signs with it.

Disabling a key

Open the key and press “Disable”.