···
In production, you will need a private key to sign OAuth tokens request. Use the
26
-
following command to generate a new JWK (JSON Web Key):
26
+
following command to generate a new private key:
32
-
The generated key must be added to the environment variables (`.env` file) as `PRIVATE_KEY`.
32
+
The generated key must be added to the environment variables (`.env` file) in `PRIVATE_KEYS`.
PRIVATE_KEYS='[{"kty":"EC","kid":"12",...}]'
38
-
Note that you can have multiple keys. Always add new keys at the beginning of
39
-
the array, so that the first key is always the most recent one. When a key is
40
-
removed, all associated sessions will be invalidated.
40
+
> The `PRIVATE_KEYS` can contain multiple keys. The first key in the array is
41
+
> the most recent one, and it will be used to sign new tokens. When a key is
42
+
> removed, all associated sessions will be invalidated.
42
-
Make sure to also set the `COOKIE_SECRET` in your environment variables (`.env` file), which is used to sign session cookies. You can generate a random string for this:
44
+
Make sure to also set the `COOKIE_SECRET`, which is used to sign session
45
+
cookies, in your environment variables (`.env` file). You should use a random
48
-
Finally, set the `PUBLIC_URL` to the URL where your app will be accessible. This is used for OAuth client ID and other configurations.
52
+
Finally, set the `PUBLIC_URL` to the URL where your app will be accessible. This
53
+
will allow the authorization servers to download the app's public keys.
PUBLIC_URL="https://your-app-url.com"
55
-
> You can use services like [ngrok](https://ngrok.com/) to expose your local server to the internet for testing purposes. Just set the `PUBLIC_URL` to the ngrok URL.
61
+
> You can use services like [ngrok](https://ngrok.com/) to expose your local
62
+
> server to the internet for testing purposes. Just set the `PUBLIC_URL` to the
cduck.me