Any authentication provider can be supported by generating custom JWTs for PowerSync.
For a quick way to get started before implementing custom auth, Development Tokens can be used instead.
The process is as follows:
The requirements are:
A key pair (private + public key) is required to sign and verify JWTs. The private key is used to sign the JWT, and the public key is advertised on a public JWKS URL.
Requirements for the key in the JWKS URL:
kty
): RSA
, OKP
(EdDSA) or EC
(ECDSA).alg
):
RS256
, RS384
or RS512
for RSAEdDSA
for EdDSAES256
, ES384
or ES512
for ECDSAcrv
) - only relevant for EdDSA and ECDSA:
Ed25519
or Ed448
for EdDSAP-256
, P-384
or P-512
for ECDSAkid
must be specified and must match the kid
in the JWT.Requirements for the signed JWT:
kid
matching the key in the JWKS URL.aud
of the JWT must match the PowerSync instance URL.
iat
and exp
fields must be present, with a difference of 3600 or less between them.sub
of the JWT.Refer to this example for creating and verifying JWTs for PowerSync authentication.
Since there is no way to revoke a JWT once issued without rotating the key, we recommend using short expiration periods (e.g. 5 minutes). JWTs older than 60 minutes are not accepted by PowerSync.
If a private key is compromised, rotate the key on the JWKS endpoint.
PowerSync refreshes the keys from the endpoint every couple of minutes, after which old tokens will not be accepted anymore.
There is a possibility of false authentication errors until PowerSync refreshes the keys. These errors are typically retried by the client and will have little impact. However, to periodically rotate keys without any authentication failures, follow this process:
Any authentication provider can be supported by generating custom JWTs for PowerSync.
For a quick way to get started before implementing custom auth, Development Tokens can be used instead.
The process is as follows:
The requirements are:
A key pair (private + public key) is required to sign and verify JWTs. The private key is used to sign the JWT, and the public key is advertised on a public JWKS URL.
Requirements for the key in the JWKS URL:
kty
): RSA
, OKP
(EdDSA) or EC
(ECDSA).alg
):
RS256
, RS384
or RS512
for RSAEdDSA
for EdDSAES256
, ES384
or ES512
for ECDSAcrv
) - only relevant for EdDSA and ECDSA:
Ed25519
or Ed448
for EdDSAP-256
, P-384
or P-512
for ECDSAkid
must be specified and must match the kid
in the JWT.Requirements for the signed JWT:
kid
matching the key in the JWKS URL.aud
of the JWT must match the PowerSync instance URL.
iat
and exp
fields must be present, with a difference of 3600 or less between them.sub
of the JWT.Refer to this example for creating and verifying JWTs for PowerSync authentication.
Since there is no way to revoke a JWT once issued without rotating the key, we recommend using short expiration periods (e.g. 5 minutes). JWTs older than 60 minutes are not accepted by PowerSync.
If a private key is compromised, rotate the key on the JWKS endpoint.
PowerSync refreshes the keys from the endpoint every couple of minutes, after which old tokens will not be accepted anymore.
There is a possibility of false authentication errors until PowerSync refreshes the keys. These errors are typically retried by the client and will have little impact. However, to periodically rotate keys without any authentication failures, follow this process: