Skip to main content

JSON Web Token Exchange

Qloud sets a JWT as a cookie in the browser (see Cookies). This cookie is then processed by the proxy and replaced with an internal JWT. Externally we use RS256 to sign the JWT with a private key only known by Qloud servers, for the communication with the backend we use HS256 to sign the JWT with the shared secret shown in the Qloud Console.

The external JWT is long-lived (2 weeks), the internal JWT is short-lived (1 minute).

JSON Web Token Exchange