Generate a Key

This API is used to generate a new Key.

Global API Key Authentication
Generate a new Key with a randomly generated Id
POST/api/key/generate
OpenAPI Spec
Global API Key Authentication
Generate a new Key with the provided unique Id
POST/api/key/generate/{keyId}
OpenAPI Spec

Request#

Request Parameters#

keyIdUUIDoptionalDefaults to secure random UUID

The Id to use for the new key. If not specified a secure random UUID will be generated.

Request Body#

key.algorithmStringrequired

The algorithm used to generate the Key. The following values represent algorithms supported by FusionAuth:

  • Ed25519 - EdDSA using the Ed25519 parameter set Available since 1.62.0
  • ES256 - ECDSA using P-256 curve and SHA-256 hash algorithm
  • ES384 - ECDSA using P-384 curve and SHA-384 hash algorithm
  • ES512 - ECDSA using P-521 curve and SHA-512 hash algorithm
  • RS256 - RSA using SHA-256 hash algorithm
  • RS384 - RSA using SHA-384 hash algorithm
  • RS512 - RSA using SHA-512 hash algorithm
  • HS256 - HMAC using SHA-256 hash algorithm
  • HS384 - HMAC using SHA-384 hash algorithm
  • HS512 - HMAC using SHA-512 hash algorithm
key.issuerStringoptional

The issuer of the certificate.

If omitted, this value will default to the value of tenant.issuer on the default tenant. For HMAC keys, this field does not apply and will be ignored if specified, and no default value will be set.

key.nameStringrequired

The name of the Key.

key.lengthStringoptional

The length of the RSA or EC certificate. This field is required when generating RSA key types.

For RSA, possible values are: 2048, 3072 or 4096.

For EC, possible values are: 256, 384, or 521.

Example Request JSON

{
  "key": {
    "algorithm": "RS256",
    "issuer": "piedpiper.com",
    "name": "SHA-256 with RSA",
    "length": 2048
  }
}

Response#

The response for this API contains the Key that was generated.

Response Codes
CodeDescription
200The request was successful. The response will contain a JSON body.
400The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.
401You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
500There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body#

key.algorithmString

The algorithm used to generate the key. For Secrets, this value will be None.

key.certificateString

The X.509 certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformationMap<String, Object>

The RSA or EC certificate information. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.issuerString

The issuer of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.md5FingerprintString

The md5 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.serialNumberString

The serial number of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.sha1FingerprintString

The SHA-1 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.sha1ThumbprintString

The SHA-1 thumbprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.sha256FingerprintString

The SHA-256 fingerprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.sha256ThumbprintString

The SHA-256 thumbprint of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.subjectString

The subject of the certificate. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.validFromInteger

The UNIX time in milliseconds marking the start of the certificate validity period. This field is omitted for HMAC keys and Secrets.

key.certificateInformation.validToInteger

The UNIX time in milliseconds marking the expiration certificate. This field is omitted for HMAC keys and Secrets.

key.expirationInstantInteger

The instant marking the expiration certificate. This field is omitted for HMAC keys and Secrets.

key.hasPrivateKeyBoolean

Because the private key will never be returned in the API response, this value will indicate if the private key is stored in FusionAuth. This field is omitted for HMAC keys and Secrets.

key.idUUID

The Id of the Key.

key.insertInstantLong

The instant that the key was added to the FusionAuth database.

key.issuerString

The issuer of the certificate. This field is omitted for HMAC keys and Secrets.

key.kidString

The key identifier 'kid'.

key.lastUpdateInstantLong

The instant that the key was updated in the FusionAuth database.

key.lengthString

The length of the certificate. This field is omitted for HMAC keys and Secrets.

key.nameString

The name of the key.

key.publicKeyString

The certificate public key. This field is omitted for HMAC keys and Secrets.

key.typeString

The key type. The possible values are:

  • EC
  • OKP Available since 1.62.0
  • RSA
  • HMAC
  • Secret Available since 1.64.0

Example HMAC Key Response JSON

{
  "key": {
    "algorithm": "HS256",
    "id": "092dbedc-30af-4149-9c61-b578f2c72f59",
    "insertInstant": 1562171137000,
    "kid": "10d51735a5",
    "lastUpdateInstant": 1595361143101,
    "name": "OpenID Connect compliant HMAC using SHA-256",
    "type": "HMAC"
  }
}

Example RSA Key Response JSON

{
  "key": {
    "algorithm": "RS256",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIICrjCCAZagAwIBAQIQeA4dW+47Q7KuyNuZuZrcTjANBgkqhkiG9w0BAQsFADAT\nMREwDwYDVQQDEwhhY21lLmNvbTAeFw0xOTA3MDMyMTI0MzJaFw0yOTA3MDMyMTI0\nMzJaMBMxETAPBgNVBAMTCGFjbWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAnbNGwtU33S4vbipGeIwe/DhLEfc5FaEOHK4WeQ3QF8zZGyI09bNQ\ndkp8uNTFfVehIgmvYHmJWPeaNrYK//qjWAsSvYYoytj1j4BywI8uLSjt8QvzaoFU\nMOi1cBbXM2586R7yTRm7jMk91MLM101zkrf1cmFdRUwTpeJjw66XG3JlTGZCmZsJ\nG7m6+nbe5LHt4CiufmJHujGeFzgwby3jXZtuK1y3ua3380Fv95JyG3TucnMwEw5E\nYQ8Q+dZzNC8OSaKrgmnN0gWdsJ7P7vu6lMy6sXKhvcxo1p+tXywYPFJahxA+rZDG\n16RLbUppCx10q8tIcFKeAyl4eywzBaBLxwIDAQABMA0GCSqGSIb3DQEBCwUAA4IB\nAQBbsHWIBDwW1hFEin0D5BK/rwpCIZ4jlJ9PON4q0rF/tl9+pSzTqMeEqU0NMlJ7\nXm2O5U0i8Sy8Lhemo9qYCZ76qEiHFZwQBmNAC4de92KMcw4Q7q5CVjTGv3X+Avlg\n/c+I+zJLO/IJlzhOvHj+iCeBZDznt6/KlFfXA9EvlznxqZCQHSf2f94UlvBmqbVY\nOfXE5+OQ3URyNyh88g9yClSb4hzu1lmzevZ/AVbe2kTjZQQWB0TmqPg/6SS+nhsa\nuAMK1kSlSK9t6CPz/L7olJeAi7G/PZPaYG1gIFVFaBnYM0rwagQGtPMi1uCERCKr\nkUlBh6gSyN7SGJBvWEh6+zZF\n-----END CERTIFICATE-----",
    "certificateInformation": {
      "issuer": "CN=acme.com",
      "md5Fingerprint": "FC:36:CD:0B:9C:B7:62:F0:A9:16:AE:72:8E:F8:7D:D8",
      "serialNumber": "78:0E:1D:5B:EE:3B:43:B2:AE:C8:DB:99:B9:9A:DC:4E",
      "sha1Fingerprint": "CD:A9:80:5F:4D:37:EB:CD:B4:45:42:DF:76:35:15:E9:89:21:61:B6",
      "sha1Thumbprint": "zamAX0036820RULfdjUV6YkhYbY",
      "sha256Fingerprint": "33:7C:CB:4C:23:3B:F5:22:49:2F:68:C5:FA:D1:6E:3C:72:54:CB:3C:E6:D1:70:08:55:FC:43:24:9A:98:05:CF",
      "sha256Thumbprint": "M3zLTCM79SJJL2jF-tFuPHJUyzzm0XAIVfxDJJqYBc8",
      "subject": "CN=acme.com",
      "validFrom": 1562189072183,
      "validTo": 1877808272183
    },
    "expirationInstant": 1877808272183,
    "hasPrivateKey": false,
    "id": "780e1d5b-ee3b-43b2-aec8-db99b99adc4e",
    "insertInstant": 1562189072183,
    "issuer": "acme.com",
    "kid": "zamAX0036820RULfdjUV6YkhYbY",
    "lastUpdateInstant": 1595361143101,
    "length": 2048,
    "name": "SHA-256 with RSA",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnbNGwtU33S4vbipGeIwe\n/DhLEfc5FaEOHK4WeQ3QF8zZGyI09bNQdkp8uNTFfVehIgmvYHmJWPeaNrYK//qj\nWAsSvYYoytj1j4BywI8uLSjt8QvzaoFUMOi1cBbXM2586R7yTRm7jMk91MLM101z\nkrf1cmFdRUwTpeJjw66XG3JlTGZCmZsJG7m6+nbe5LHt4CiufmJHujGeFzgwby3j\nXZtuK1y3ua3380Fv95JyG3TucnMwEw5EYQ8Q+dZzNC8OSaKrgmnN0gWdsJ7P7vu6\nlMy6sXKhvcxo1p+tXywYPFJahxA+rZDG16RLbUppCx10q8tIcFKeAyl4eywzBaBL\nxwIDAQAB\n-----END PUBLIC KEY-----",
    "type": "RSA"
  }
}

Example EC Key Response JSON

{
  "key": {
    "algorithm": "ES256",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIBJzCBy6ADAgEBAhEAwUtQ5YaLTb6fPAKM0FFbETAMBggqhkjOPQQDAgUAMBMx\nETAPBgNVBAMTCGFjbWUuY29tMB4XDTIxMTAwMjEzNDE1MVoXDTMxMTAwMjEzNDE1\nMVowEzERMA8GA1UEAxMIYWNtZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAARPysdu/AKSICtkZa9hlBGb7vJHJ0GHWYXEeyTYDCPd2XoT5icVAZQ5GVU1q2WV\nEaVJRmlFuGqWElvYLIRYrce2MAwGCCqGSM49BAMCBQADSQAwRgIhAJCXC5Ys25Wk\nYXeC1bWjyt71p8Yn1B//DZo+SzQrBVF+AiEA3u6an0m+wsO1dnNN1wtXdUsa5Avo\nOjME4ZLJHhtGQ1I=\n-----END CERTIFICATE-----",
    "certificateInformation": {
      "issuer": "CN=acme.com",
      "md5Fingerprint": "E5:50:70:3A:88:56:7C:BE:CB:FA:50:29:19:B5:CE:2D",
      "serialNumber": "00:C1:4B:50:E5:86:8B:4D:BE:9F:3C:02:8C:D0:51:5B:11",
      "sha1Fingerprint": "2F:22:15:AC:7C:2A:67:E8:F3:AB:87:97:3A:E0:84:58:79:A3:35:7F",
      "sha1Thumbprint": "LyIVrHwqZ-jzq4eXOuCEWHmjNX8",
      "sha256Fingerprint": "D5:B0:B5:5E:07:1D:2B:84:A8:7C:5F:89:B7:74:62:2F:8C:57:A8:66:A1:D5:A2:F1:A9:94:70:8F:D3:0D:64:0F",
      "sha256Thumbprint": "1bC1XgcdK4SofF-Jt3RiL4xXqGah1aLxqZRwj9MNZA8",
      "subject": "CN=acme.com",
      "validFrom": 1633182111000,
      "validTo": 1948714911000
    },
    "expirationInstant": 1948714911000,
    "hasPrivateKey": true,
    "id": "c14b50e5-868b-4dbe-9f3c-028cd0515b11",
    "insertInstant": 1633182111648,
    "issuer": "acme.com",
    "kid": "LyIVrHwqZ-jzq4eXOuCEWHmjNX8",
    "lastUpdateInstant": 1633182111648,
    "length": 256,
    "name": "ECDSA using P-256 curve and SHA-256",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET8rHbvwCkiArZGWvYZQRm+7yRydB\nh1mFxHsk2Awj3dl6E+YnFQGUORlVNatllRGlSUZpRbhqlhJb2CyEWK3Htg==\n-----END PUBLIC KEY-----",
    "type": "EC"
  }
}

Example EdDSA Key Response JSON

{
  "key": {
    "algorithm": "Ed25519",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIHsMIGfoAMCAQECEQDqdRGGNnhIwI8IEfDjwZN7MAUGAytlcDAYMRYwFAYDVQQD\nEw1mdXNpb25hdXRoLmlvMB4XDTI1MTIxODE2MDUyNVoXDTM1MTIxODE2MDUyNVow\nGDEWMBQGA1UEAxMNZnVzaW9uYXV0aC5pbzAqMAUGAytlcAMhAI+wTC3wU30tqiGR\n8RsFrAYl++dNZTRIdwUqPmMv3xeqMAUGAytlcANBANiOCGE+XoUorYo13gor1PWM\n6sL7j2oDBbSExzThihvYXyO7Lx7s8ZCgJ8rIcxgDQRJbhq1n5oxMAvGnzezDMwQ=\n-----END CERTIFICATE-----",
    "certificateInformation": {
      "issuer": "CN=fusionauth.io",
      "md5Fingerprint": "74:19:09:95:D9:6F:52:D9:83:D5:CD:48:D2:26:34:A2",
      "serialNumber": "00:EA:75:11:86:36:78:48:C0:8F:08:11:F0:E3:C1:93:7B",
      "sha1Fingerprint": "AB:6D:71:A6:B6:36:BA:D3:00:7D:1D:E8:CB:08:25:6F:46:13:EF:51",
      "sha1Thumbprint": "q21xprY2utMAfR3oywglb0YT71E",
      "sha256Fingerprint": "1A:BE:72:43:9A:B6:06:D5:08:32:06:28:A8:1B:DF:73:A2:99:5E:82:FF:C4:A3:FD:F3:9B:5F:5F:80:4A:27:D4",
      "sha256Thumbprint": "Gr5yQ5q2BtUIMgYoqBvfc6KZXoL_xKP985tfX4BKJ9Q",
      "subject": "CN=fusionauth.io",
      "validFrom": 1766073925573,
      "validTo": 2081606725573
    },
    "expirationInstant": 2081606725573,
    "hasPrivateKey": true,
    "id": "ea751186-3678-48c0-8f08-11f0e3c1937b",
    "insertInstant": 1766073925573,
    "issuer": "fusionauth.io",
    "kid": "q21xprY2utMAfR3oywglb0YT71E",
    "lastUpdateInstant": 1766073925573,
    "length": 32,
    "name": "EdDSA using the Ed25519 parameter set",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAj7BMLfBTfS2qIZHxGwWsBiX7501lNEh3BSo+Yy/fF6o=\n-----END PUBLIC KEY-----",
    "type": "OKP"
  }
}