Skip to content

Commit f634d3b

Browse files
Exadra37Exadra37
committed
Added info about the use of asymetirc keys to allow for a different keyset on each API domain used.
Signed-off-by: Exadra37 <exadra37@gmail.com>
1 parent f7287ef commit f634d3b

File tree

3 files changed

+22
-4
lines changed

3 files changed

+22
-4
lines changed

README.md

+6
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,12 @@ Now, register the API domain for which Approov will issues tokens:
2323
approov api -add api.example.com
2424
```
2525

26+
> **NOTE:** By default a symmetric key (HS256) is used to sign the Approov token on a valid attestation of the mobile app for each API domain it's added with the Approov CLI, so that all APIs will share the same secret and the backend needs to take care to keep this secret secure.
27+
>
28+
> A more secure alternative is to use asymmetric keys (RS256 or others) that allows for a different keyset to be used on each API domain and for the Approov token to be verified with a public key that can only verify, but not sign, Approov tokens.
29+
>
30+
> To implement the asymmetric key you need to change from using the symmetric HS256 algorithm to an asymmetric algorithm, for example RS256, that requires you to first [add a new key](https://approov.io/docs/latest/approov-usage-documentation/#adding-a-new-key), and then specify it when [adding each API domain](https://approov.io/docs/latest/approov-usage-documentation/#keyset-key-api-addition). Please visit [Managing Key Sets](https://approov.io/docs/latest/approov-usage-documentation/#managing-key-sets) on the Approov documentation for more details.
31+
2632
Next, enable your Approov `admin` role with:
2733

2834
```bash

docs/APPROOV_TOKEN_BINDING_QUICKSTART.md

+8-2
Original file line numberDiff line numberDiff line change
@@ -49,11 +49,17 @@ Approov needs to know the domain name of the API for which it will issue tokens.
4949

5050
Add it with:
5151

52-
```text
52+
```bash
5353
approov api -add your.api.domain.com
5454
```
5555

56-
Adding the API domain also configures the [dynamic certificate pinning](https://approov.io/docs/latest/approov-usage-documentation/#approov-dynamic-pinning) setup, out of the box.
56+
> **NOTE:** By default a symmetric key (HS256) is used to sign the Approov token on a valid attestation of the mobile app for each API domain it's added with the Approov CLI, so that all APIs will share the same secret and the backend needs to take care to keep this secret secure.
57+
>
58+
> A more secure alternative is to use asymmetric keys (RS256 or others) that allows for a different keyset to be used on each API domain and for the Approov token to be verified with a public key that can only verify, but not sign, Approov tokens.
59+
>
60+
> To implement the asymmetric key you need to change from using the symmetric HS256 algorithm to an asymmetric algorithm, for example RS256, that requires you to first [add a new key](https://approov.io/docs/latest/approov-usage-documentation/#adding-a-new-key), and then specify it when [adding each API domain](https://approov.io/docs/latest/approov-usage-documentation/#keyset-key-api-addition). Please visit [Managing Key Sets](https://approov.io/docs/latest/approov-usage-documentation/#managing-key-sets) on the Approov documentation for more details.
61+
62+
Adding the API domain also configures the [dynamic certificate pinning](https://approov.io/docs/latest/approov-usage-documentation/#dynamic-pinning) setup, out of the box.
5763

5864
> **NOTE:** By default the pin is extracted from the public key of the leaf certificate served by the domain, as visible to the box issuing the Approov CLI command and the Approov servers.
5965

docs/APPROOV_TOKEN_QUICKSTART.md

+8-2
Original file line numberDiff line numberDiff line change
@@ -49,11 +49,17 @@ Approov needs to know the domain name of the API for which it will issue tokens.
4949

5050
Add it with:
5151

52-
```text
52+
```bash
5353
approov api -add your.api.domain.com
5454
```
5555

56-
Adding the API domain also configures the [dynamic certificate pinning](https://approov.io/docs/latest/approov-usage-documentation/#approov-dynamic-pinning) setup, out of the box.
56+
> **NOTE:** By default a symmetric key (HS256) is used to sign the Approov token on a valid attestation of the mobile app for each API domain it's added with the Approov CLI, so that all APIs will share the same secret and the backend needs to take care to keep this secret secure.
57+
>
58+
> A more secure alternative is to use asymmetric keys (RS256 or others) that allows for a different keyset to be used on each API domain and for the Approov token to be verified with a public key that can only verify, but not sign, Approov tokens.
59+
>
60+
> To implement the asymmetric key you need to change from using the symmetric HS256 algorithm to an asymmetric algorithm, for example RS256, that requires you to first [add a new key](https://approov.io/docs/latest/approov-usage-documentation/#adding-a-new-key), and then specify it when [adding each API domain](https://approov.io/docs/latest/approov-usage-documentation/#keyset-key-api-addition). Please visit [Managing Key Sets](https://approov.io/docs/latest/approov-usage-documentation/#managing-key-sets) on the Approov documentation for more details.
61+
62+
Adding the API domain also configures the [dynamic certificate pinning](https://approov.io/docs/latest/approov-usage-documentation/#dynamic-pinning) setup, out of the box.
5763

5864
> **NOTE:** By default the pin is extracted from the public key of the leaf certificate served by the domain, as visible to the box issuing the Approov CLI command and the Approov servers.
5965

0 commit comments

Comments
 (0)