Stage:
General Availability
Available on self-hosted:
Yes
JWT Signing Keys replace the legacy JWT secret with asymmetric key cryptography. Private keys sign tokens on Supabase servers, while public keys verify them anywhere—enabling local JWT verification without calling Supabase servers.
Key benefits
- Faster verification: Verify JWTs locally without server calls.
- Independent rotation: Rotate each component independently.
- Roll-back capability: Revert to previous keys if needed.
- Better mobile support: No forced app updates for key rotation.
- Shorter JWT expiry: Default 5-minute expiry improves security.
- Smaller JWTs: Less redundant data in tokens.
Key features
Asymmetric signing using RSA or Elliptic Curve. Multiple key support with Active, Standby, Previously used, and Revoked states. JWKS endpoint exposes public keys at https://<project-ref>.supabase.co/auth/v1/jwks.
Migration
Legacy JWT secret can be imported into the new system. Gradual migration supported. Both systems can coexist during transition.
JWT Signing Keys are valuable for:
- Applications requiring local JWT verification
- Mobile apps needing flexible key rotation
- Security-conscious applications requiring shorter token expiry
- Projects migrating from legacy JWT secrets
JWT Signing Keys provide modern, secure JWT management with the flexibility required for production applications.