Set up license token validation keys

Use the 10Duke Scale UI console to set up the validation key pairs needed for the signing and verification of license tokens in license consumption.

At checkout and heartbeat, 10Duke Scale returns a JSON Web Token (JWT) license token to your client application, signed using the private key from the currently active key pair in 10Duke Scale. The application uses the corresponding public key to verify the signature of the license token.

You can create multiple key pairs for the purpose of periodically rolling the keys. Only one key pair can be active at a time. Currently all keys are valid indefinitely, so you roll keys manually by changing which key pair is the active one.

Your client application can retrieve the public keys through 10Duke Scale License Management API. When returning a signed license token, 10Duke Scale also includes the ID of the key pair that was used, which the application uses to identify which public key it needs to use.

Manage validation keys in the UI console

To manage the validation keys for license tokens, go to SETTINGS > Token validation keys in the UI console.

Token validation keys list

The list shows which of the key pairs is currently active, and you can manage the key pairs as follows:

  • To generate a new key pair, click Generate new key. The new key is added at the bottom of the list.

  • To set a key pair as the active key pair, click Set as active next to it, and click Yes to confirm the change.

  • To delete a key pair, click the trash can icon next to it, and click Yes to confirm the deletion. You cannot delete the active key pair.

To see the public key of a key pair, click the arrow icon to expand the row.

Manage validation keys through the API

Use the following License Management API operations to manage validation key pairs:

Operation URL (relative, prepend the environment base URL)
Generate a validation key pair POST /licensing-signing-keys/actions/generate
Set a validation key pair as the active key pair PUT /licensing-signing-keys/{id}/actions/activate
Delete a validation key pair DELETE /licensing-signing-keys/{id}

Use the following License Management API operations to retrieve the public keys and information on the key pairs:

Operation URL (relative, prepend the environment base URL)
Retrieve information on validation key pairs GET /licensing-signing-keys
Retrieve information on a validation key pair based on key pair ID GET /licensing-signing-keys/actions/find-by-keyid/{keyId}
Retrieve the public keys in JSON Web Key Set (JWKS) format GET /licensing-signing-keys/.well-known/jwks.json

See more about the JWKS format in RFC 7517.

Next steps

Verify the signature of license tokens in your client application using the validation keys.