Configure JWT signing

Audited signs the JWTs it issues, and you must configure signing with one of two options:

  • HMAC (simpler) — set ADT_JWT_SECRET to a long random string. Tokens are signed and verified with this shared secret.
  • ECDSA key pair — set both ADT_JWT_PUBLIC_KEY and ADT_JWT_PRIVATE_KEY (PEM). Tokens are signed with the private key and verified with the public key.

If ADT_JWT_SECRET is set, it takes precedence. Otherwise both key pair variables are required.

Startup fails without JWT signing

The service will not start unless one option is fully configured — either ADT_JWT_SECRET, or both ADT_JWT_PUBLIC_KEY and ADT_JWT_PRIVATE_KEY.