By apipark

Mastering JWK: Securely Manage Your Digital Keys

Mastering JWK: Securely Manage Your Digital Keys
jwk
XRoute.AI
XPack.AI

In the intricate tapestry of modern digital interactions, the secure exchange of information and the robust authentication of identities stand as paramount concerns. From the smallest mobile application requesting data to the largest enterprise system orchestrating complex microservices, the integrity and confidentiality of communication are non-negotiable. At the heart of this digital trust lies the effective management of cryptographic keys – the digital equivalents of physical keys that unlock sensitive data or verify digital signatures. However, the historical landscape of key management has often been fraught with fragmentation, proprietary formats, and interoperability challenges, creating significant hurdles for developers and security architects alike. The need for a standardized, web-friendly, and universally understood method for representing and exchanging these critical digital assets became increasingly apparent as the internet evolved into the primary conduit for information exchange.

Enter JSON Web Key (JWK), a deceptively simple yet profoundly impactful specification that has revolutionized how cryptographic keys are handled in web environments. JWK provides a standardized way to represent cryptographic keys in a JSON object, offering unparalleled flexibility, human readability, and seamless integration with existing web technologies. It is not merely a format but a foundational component that underpins a vast array of modern security protocols, enabling everything from secure API access to robust identity verification. This article embarks on an exhaustive exploration of JWK, dissecting its structure, illuminating its profound benefits, guiding through its practical implementation, and outlining the indispensable best practices for its secure management. We will delve into how JWK simplifies the complex world of digital keys, making them more manageable, interoperable, and ultimately, more secure across diverse systems and applications, especially within the context of a robust API gateway infrastructure.

The Landscape of Digital Keys and Their Intricate Challenges

The digital realm, much like the physical world, relies heavily on keys for access and authentication. In a digital context, these keys are cryptographic primitives that enable fundamental security operations: digital signatures verify the authenticity and integrity of data, ensuring it hasn't been tampered with and originates from a trusted source; encryption safeguards confidentiality, transforming readable data into an unreadable format that only authorized parties with the correct key can decipher; and secure key exchange mechanisms facilitate the establishment of shared secrets over untrusted networks. These operations are the bedrock of secure communication, protecting everything from online banking transactions to personal messages and critical infrastructure controls. Without reliable key management, the entire edifice of digital security crumbles, leaving systems vulnerable to a litany of attacks, including impersonation, data breaches, and service disruptions.

However, the path to secure key management has historically been paved with significant complexities. Traditional cryptographic key formats, while effective in their specific domains, often presented a fragmented and inconsistent landscape. Developers regularly encountered a bewildering array of formats such as PEM (Privacy-Enhanced Mail), DER (Distinguished Encoding Rules), PKCS#12 (Personal Information Exchange Syntax), and various others, each with its own specific encoding rules and structural nuances. This diversity inherently led to severe interoperability issues; a key generated in one system using one format might not be directly usable in another system without arduous conversion processes, often involving multiple steps and specialized tools. This fragmentation created friction, increased the likelihood of configuration errors, and introduced substantial overhead in developing cross-platform secure applications.

Moreover, the lifecycle management of these keys posed another layer of challenge. Cryptographic keys are not static entities; they require dynamic management throughout their existence. This includes secure generation, ensuring the randomness and strength of the key material; secure storage, protecting private keys from unauthorized access; regular rotation, replacing old keys with new ones to mitigate the risk of compromise over time; and robust revocation procedures, immediately invalidating compromised or expired keys. Each of these stages, when handled with traditional, disparate formats, added significant complexity. For instance, updating an application's signing key often meant distributing new key files to every consuming service, potentially leading to inconsistencies or operational delays. The sheer volume of manual intervention required to manage keys across a sprawling infrastructure of services and applications was not only error-prone but also scaled poorly as systems grew in complexity and scope. The advent of cloud computing, microservices architectures, and the proliferation of RESTful APIs further exacerbated these challenges, demanding a more agile, web-centric, and standardized approach to key representation and management. It was against this backdrop that the need for a solution like JWK became not just desirable, but absolutely essential.

Decoding JSON Web Key (JWK) - A Fundamental Overview

At its core, a JSON Web Key (JWK) is a JSON object that represents a cryptographic key. This simple yet powerful definition marks a significant departure from the opaque binary formats that traditionally dominated the cryptographic landscape. By embracing JSON, JWK leverages a data format that is inherently human-readable, easily parsable by a multitude of programming languages and libraries, and natively supported across virtually all web development environments. This design choice immediately addresses many of the interoperability and integration challenges posed by older, less flexible key formats. The primary purpose of JWK is to provide a standardized, consistent, and web-friendly method for representing cryptographic keys, making it simpler to exchange, store, and utilize them in a wide array of web applications and services.

A JWK is not just a container for raw key material; it's a structured object that includes various parameters describing the key's properties and intended usage. While the specific parameters depend on the type of cryptographic key being represented (e.g., RSA, Elliptic Curve, or symmetric), several fundamental components are common or highly relevant across most JWKs:

  • kty (Key Type): This is a mandatory parameter that identifies the cryptographic algorithm family used with the key. Common values include "RSA" for RSA cryptographic algorithms, "EC" for Elliptic Curve Digital Signature Algorithm (ECDSA) keys, and "oct" for octet sequence (symmetric) keys. This parameter immediately informs consuming applications about the fundamental nature of the key.
  • kid (Key ID): An optional but highly recommended parameter, the Key ID provides a unique identifier for the JWK within a set of keys. When an application needs to select a specific key from a collection (a JWK Set), the kid acts as a crucial lookup mechanism. For example, a JSON Web Token (JWT) often includes a kid in its header, allowing the verifying party to quickly locate the correct public key from a JWKS endpoint.
  • use (Public Key Use): This optional parameter indicates the intended use of the public key. It can be "sig" for signature verification or "enc" for encryption. While optional, specifying the use enhances security by explicitly stating the key's purpose, helping to prevent misconfigurations or misuse. A key designated for signing should ideally not be used for encryption, and vice-versa, adhering to the principle of least privilege.
  • alg (Algorithm): Another optional parameter, alg identifies the cryptographic algorithm family and specific algorithm intended for use with the key. For instance, alg: "RS256" indicates an RSA PSS signature with SHA-256 hash. While not strictly necessary if the alg is specified in the JWT header, including it in the JWK can provide clarity and enforce specific algorithm usage.
  • Specific Key Parameters: These parameters hold the actual mathematical components of the cryptographic key:
    • For RSA keys (kty: "RSA"):
      • n (modulus): The public modulus for the RSA key.
      • e (public exponent): The public exponent for the RSA key.
      • d (private exponent), p, q, dp, dq, qi: These represent the private key components and are only present in a private RSA JWK.
    • For Elliptic Curve keys (kty: "EC"):
      • crv (curve): The cryptographic curve used (e.g., "P-256", "P-384", "P-521").
      • x (x coordinate): The x coordinate for the Elliptic Curve point.
      • y (y coordinate): The y coordinate for the Elliptic Curve point.
      • d (private key): The private key component for an EC private JWK.
    • For Symmetric keys (kty: "oct"):
      • k (key value): The octet sequence comprising the symmetric key. This value must be securely handled as it represents the entire secret.

Here's a simplified illustration of a public RSA JWK:

{
  "kty": "RSA",
  "kid": "unique-rsa-key-id-123",
  "use": "sig",
  "alg": "RS256",
  "n": "sQ9_S_qX...",
  "e": "AQAB"
}

This JSON structure is intuitively understandable. A developer can quickly grasp that this is an RSA key intended for signing, with a specific ID, and designed to be used with the RS256 algorithm. The base64url-encoded n and e values contain the public components of the RSA key. This human-readable and machine-parsable format profoundly simplifies the process of key exchange and storage. Instead of distributing opaque binary files, applications can simply exchange JSON objects, which are inherently compatible with web APIs and modern data transmission paradigms. This inherent simplicity and standardization are key drivers behind JWK's widespread adoption, making it a cornerstone for modern web security.

JWK Set (JWKS) - Managing Collections of Keys

While a single JWK is adept at representing an individual cryptographic key, real-world security scenarios often demand the management of multiple keys. This necessity arises from various operational requirements and best practices, such as key rotation, supporting different cryptographic algorithms, or catering to diverse client needs. For instance, an identity provider might use a specific signing key to issue JSON Web Tokens (JWTs) for a certain period, but then transition to a new key for enhanced security or compliance reasons. During this transition, both the old and new keys must remain available to allow for a graceful deprecation period where existing tokens signed with the old key can still be validated, while new tokens are signed with the new key. In such dynamic environments, a mechanism for managing and distributing collections of JWKs becomes indispensable. This is precisely where the JSON Web Key Set (JWKS) specification comes into play.

A JWKS is a JSON object that contains an array of JWK objects. The structure is straightforward: a top-level JSON object with a single mandatory member, keys, whose value is an array of JWK objects. Each object in this array represents a distinct cryptographic key, potentially with its own kid (Key ID), use (public key use), alg (algorithm), and other specific parameters.

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "old-signing-key-2023",
      "use": "sig",
      "alg": "RS256",
      "n": "...",
      "e": "AQAB"
    },
    {
      "kty": "EC",
      "kid": "current-signing-key-2024",
      "use": "sig",
      "alg": "ES256",
      "crv": "P-256",
      "x": "...",
      "y": "..."
    },
    {
      "kty": "RSA",
      "kid": "encryption-key-for-data",
      "use": "enc",
      "alg": "RSA-OAEP-256",
      "n": "...",
      "e": "AQAB"
    }
  ]
}

This example illustrates a JWKS containing three keys: an old RSA signing key, a current Elliptic Curve signing key, and an RSA encryption key. The presence of multiple keys, identified by their unique kid values, allows consuming services to select the appropriate key for a given operation. For instance, when validating a JWT, the verifier typically inspects the kid parameter in the JWT's header. It then uses this kid to look up the corresponding public key within the available JWKS.

The importance of JWKS is particularly pronounced for identity providers and API gateway components. Identity providers, such as OAuth 2.0 Authorization Servers or OpenID Connect Providers, are responsible for issuing security tokens (like ID Tokens and Access Tokens) that are digitally signed. To enable resource servers (which protect APIs) and relying parties (client applications) to verify these signatures, the identity provider must expose its public signing keys. JWKS provides a standardized and discoverable mechanism for this. Identity providers typically expose a public HTTP endpoint (often at .well-known/jwks.json) where their current public JWKS can be retrieved. This endpoint acts as a single source of truth for all public keys used by the provider, simplifying key discovery and validation for all downstream consumers.

For an API gateway, which often sits at the edge of a microservices architecture, protecting backend APIs from unauthorized access, the ability to efficiently consume and utilize JWKS is paramount. When an incoming request carries a JWT, the API gateway needs to: 1. Extract the JWT from the request header. 2. Inspect the kid and alg parameters in the JWT header. 3. Fetch the relevant JWKS from the identity provider's .well-known/jwks.json endpoint (often with caching to improve performance). 4. Locate the specific public key within the JWKS that matches the kid in the JWT header. 5. Use this public key to verify the JWT's digital signature.

This process ensures that only tokens signed by the legitimate identity provider using a valid key are accepted, thereby enforcing robust authentication and authorization policies at the gateway level. By centralizing key management and distribution through JWKS, organizations can significantly enhance the security posture of their APIs, streamline key rotation processes, and reduce the operational overhead associated with distributing and managing cryptographic keys across a complex ecosystem of services and applications. This unified approach is a cornerstone of scalable and secure modern web architectures.

The Role of JWK in Modern Security Protocols

JSON Web Key (JWK) is not merely a standalone format for representing cryptographic keys; it is a fundamental building block that underpins and enables a suite of interconnected security protocols forming the backbone of modern web security. Its standardized nature allows these protocols to seamlessly interact, ensuring interoperability and robust security mechanisms. The most prominent of these protocols include JSON Web Signatures (JWS), JSON Web Encryption (JWE), and the overarching JSON Web Tokens (JWT), all of which leverage JWK for their cryptographic operations.

JSON Web Signatures (JWS): Ensuring Integrity and Authenticity

JSON Web Signatures (JWS) provides a compact, URL-safe means of representing content secured with digital signatures or Message Authentication Codes (MACs). The core purpose of JWS is to guarantee the integrity and authenticity of data: integrity ensures that the data has not been altered since it was signed, and authenticity confirms the sender's identity.

When creating a JWS, a party signs a payload using a private key (for digital signatures) or a symmetric key (for MACs). The JWS header contains parameters that describe the cryptographic operation, most notably: * alg (Algorithm): Specifies the signing algorithm used (e.g., RS256, ES384, HS256). * kid (Key ID): Often included to indicate which specific key from a JWK Set was used to sign the token.

Here's where JWK becomes indispensable. The alg parameter in the JWS header directly corresponds to the alg specified within the JWK that contains the actual key material. More importantly, when a verifier receives a JWS, it needs the corresponding public key (or symmetric key) to validate the signature. If the JWS header includes a kid, the verifier can use this identifier to look up the exact JWK (containing the public key) from a previously retrieved JWK Set. This mechanism dramatically simplifies key discovery and exchange, particularly in scenarios involving multiple keys or key rotation. Without JWK providing a standardized format for these keys, the process of verifying a JWS would be far more convoluted, requiring out-of-band key distribution and management. The interoperability benefits are immense: any system capable of parsing a JWK can verify a JWS, regardless of the underlying operating system or programming language, fostering a truly interconnected and secure digital ecosystem.

JSON Web Encryption (JWE): Safeguarding Confidentiality

While JWS focuses on integrity and authenticity, JSON Web Encryption (JWE) addresses the critical need for confidentiality. JWE provides a standardized way to encrypt content, ensuring that sensitive information remains protected from unauthorized access during transmission or storage.

Similar to JWS, JWE also utilizes a header to describe the encryption operation, including parameters like: * alg (Algorithm): Specifies the content encryption algorithm (e.g., RSA-OAEP-256, ECDH-ES). * enc (Encryption Algorithm): Specifies the content encryption algorithm used to perform authenticated encryption on the plaintext (e.g., A128CBC-HS256, A256GCM). * kid (Key ID): Can be used to identify the specific public key used for encryption, allowing the recipient to locate the corresponding private key for decryption.

JWK plays a pivotal role in JWE by specifying the public key used for encryption and the private key used for decryption. In a typical scenario, a sender wishing to transmit confidential data to a recipient would obtain the recipient's public JWK (which would contain kty, n, e for RSA, or crv, x, y for EC). The sender then uses this public key to encrypt the data. Upon receiving the encrypted JWE, the recipient uses their corresponding private JWK to decrypt the content. The structured nature of JWK, containing all necessary public and private key components in a predictable JSON format, streamlines this process. It facilitates secure data exchange over insecure channels by standardizing how encryption keys are represented and utilized, abstracting away the complexities of various underlying cryptographic libraries.

JSON Web Tokens (JWT): The Unification of Identity and Security

JSON Web Tokens (JWT) represent the powerful culmination of JWS and JWE, providing a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are widely used for authentication, authorization, and information exchange, particularly in modern stateless API architectures. A JWT can be signed (JWS) to ensure its integrity and authenticity, and/or encrypted (JWE) to ensure its confidentiality. It is the versatility and robust security mechanisms provided by JWS and JWE, fundamentally enabled by JWK, that make JWTs so prevalent.

When an identity provider (IdP) issues a JWT (typically an ID Token or Access Token in the context of OAuth 2.0 and OpenID Connect), it signs the token using its private key, which is represented as a private JWK. The header of this signed JWT will include the kid of the signing key. A resource server or client application that receives this JWT then needs to verify its signature. To do this, it retrieves the IdP's public JWK Set (JWKS) from a well-known endpoint (e.g., https://idp.example.com/.well-known/jwks.json). Using the kid from the JWT header, it locates the corresponding public JWK within the set and uses it to validate the signature. This entire process, from token issuance to verification, is rendered efficient, secure, and interoperable due to the standardized representation of keys through JWK.

Table: Overview of JWK Key Types and Essential Parameters

Parameter RSA Key Type (kty: "RSA") Elliptic Curve Key Type (kty: "EC") Symmetric Key Type (kty: "oct") Description
kty "RSA" "EC" "oct" Key Type (mandatory)
kid Optional Optional Optional Key ID (highly recommended for JWKS)
use Optional ("sig", "enc") Optional ("sig", "enc") Optional ("sig", "enc") Public Key Use (signature or encryption)
alg Optional (e.g., RS256) Optional (e.g., ES256) Optional (e.g., HS256) Specific algorithm intended for use with the key
n Mandatory for public/private N/A N/A RSA modulus (base64url-encoded)
e Mandatory for public/private N/A N/A RSA public exponent (base64url-encoded)
d Mandatory for private Mandatory for private N/A RSA private exponent / EC private key (base64url-encoded)
crv N/A Mandatory (e.g., P-256) N/A Elliptic Curve name
x N/A Mandatory for public/private N/A Elliptic Curve x coordinate (base64url-encoded)
y N/A Mandatory for public/private N/A Elliptic Curve y coordinate (base64url-encoded)
k N/A N/A Mandatory for private/public Symmetric key value (base64url-encoded)

In essence, JWK provides the universal language for cryptographic keys, allowing JWS and JWE to build robust security layers, which in turn enable JWTs to facilitate secure and trustworthy interactions across the modern web. The interconnectedness of these standards underscores the critical role JWK plays in establishing a secure and interoperable digital environment.

APIPark is a high-performance AI gateway that allows you to securely access the most comprehensive LLM APIs globally on the APIPark platform, including OpenAI, Anthropic, Mistral, Llama2, Google Gemini, and more.Try APIPark now! 👇👇👇
Install APIPark – it’s free

Implementing JWK: Practical Aspects and Code Examples

The theoretical understanding of JWK, JWKS, JWS, JWE, and JWT is crucial, but their real power is unlocked through practical implementation. Integrating JWK into your applications involves several key steps: generating keys, securely storing and retrieving them, and then using them for cryptographic operations like signing, verification, encryption, and decryption. Modern programming ecosystems offer a wealth of libraries and tools that abstract away much of the underlying cryptographic complexity, making JWK implementation relatively straightforward.

Generating JWKs

Generating cryptographic keys in the JWK format is the first step. Most robust cryptographic libraries provide functions to generate key pairs (for RSA and EC) or symmetric keys and then export them directly into JWK format.

Example (Conceptual - using a generic crypto_lib):

# Generate an RSA key pair and export as JWK
from crypto_lib import generate_rsa_key_pair, export_as_jwk

rsa_private_key_object = generate_rsa_key_pair(bits=2048)
rsa_public_jwk = export_as_jwk(rsa_private_key_object, private=False, kid="my-rsa-key-1")
rsa_private_jwk = export_as_jwk(rsa_private_key_object, private=True, kid="my-rsa-key-1")

print("Public RSA JWK:", rsa_public_jwk)
print("Private RSA JWK:", rsa_private_jwk)

# Generate an EC key pair and export as JWK
from crypto_lib import generate_ec_key_pair, export_as_jwk

ec_private_key_object = generate_ec_key_pair(curve="P-256")
ec_public_jwk = export_as_jwk(ec_private_key_object, private=False, kid="my-ec-key-2")
ec_private_jwk = export_as_jwk(ec_private_key_object, private=True, kid="my-ec-key-2")

print("Public EC JWK:", ec_public_jwk)
print("Private EC JWK:", ec_private_jwk)

# Generate a symmetric key and export as JWK
from crypto_lib import generate_symmetric_key, export_as_jwk

symmetric_key_bytes = generate_symmetric_key(length_bits=256)
symmetric_jwk = export_as_jwk(symmetric_key_bytes, kty="oct", kid="my-sym-key-3")

print("Symmetric JWK:", symmetric_jwk)

In real-world applications, libraries like jose for Node.js, PyJWT and python-jose for Python, and nimbus-jose-jwt for Java are widely used. These libraries provide robust functionalities for key generation, import/export, and cryptographic operations, simplifying the developer's task considerably. When generating keys, it's crucial to ensure sufficient cryptographic strength (e.g., 2048 bits or higher for RSA, P-256 or P-384 for EC) and proper randomness in key material generation.

Storing and Retrieving JWKs

Once generated, private JWKs must be stored securely, typically in a Key Management System (KMS), Hardware Security Module (HSM), or encrypted configuration files with restricted access. Public JWKs, on the other hand, are often published via a JWKS endpoint for public consumption by relying parties.

Serving JWKS Endpoints: For identity providers or services that sign JWTs, exposing a public JWKS endpoint (e.g., https://your-auth-server.com/.well-known/jwks.json) is a standard practice. This endpoint serves a JSON object containing an array of public JWKs.

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "prod-signing-key-v1",
      "use": "sig",
      "alg": "RS256",
      "n": "...",
      "e": "AQAB"
    },
    {
      "kty": "EC",
      "kid": "prod-signing-key-v2",
      "use": "sig",
      "alg": "ES256",
      "crv": "P-256",
      "x": "...",
      "y": "..."
    }
  ]
}

This endpoint is critical for API gateways and client applications to dynamically discover and retrieve the necessary public keys to verify incoming JWTs.

Using JWKs for Signing and Verification

Signing a JWT (Identity Provider's Role): The identity provider uses its private JWK to sign a JWT. The kid from the private JWK is typically included in the JWT header.

# Assuming 'private_rsa_jwk' is loaded
from jose import jws
token_payload = {"sub": "user123", "iat": 1678886400}
headers = {"alg": "RS256", "kid": private_rsa_jwk["kid"]}
signed_jwt = jws.sign(token_payload, private_rsa_jwk, headers=headers)
print("Signed JWT:", signed_jwt)

Verifying a JWT (Resource Server / API Gateway's Role): A resource server or an API gateway receives a JWT and needs to verify its signature.

# Assuming 'public_jwks' is retrieved from a JWKS endpoint
from jose import jws, jwt

# Step 1: Parse the JWT header to get kid and alg
jwt_header = jwt.get_unverified_header(signed_jwt)
key_id = jwt_header.get("kid")
algorithm = jwt_header.get("alg")

# Step 2: Find the matching public key from the JWKS
# In a real scenario, public_jwks would be fetched and cached from an endpoint.
public_jwks = {
  "keys": [
    # ... include public_rsa_jwk and public_ec_jwk here
    {
      "kty": "RSA",
      "kid": "my-rsa-key-1",
      "use": "sig",
      "alg": "RS256",
      "n": "...", # placeholder, use actual value
      "e": "AQAB"
    }
  ]
}
public_key_jwk = next((key for key in public_jwks["keys"] if key["kid"] == key_id), None)

if public_key_jwk:
    # Step 3: Verify the JWT signature using the public key
    try:
        verified_payload = jws.verify(signed_jwt, public_key_jwk, algorithms=[algorithm])
        print("Verified JWT Payload:", verified_payload)
    except Exception as e:
        print("JWT verification failed:", e)
else:
    print(f"Public key with kid '{key_id}' not found in JWKS.")

Using JWKs for Encryption and Decryption

Encrypting with JWE (Sender's Role): The sender encrypts data using the recipient's public JWK.

# Assuming 'recipient_public_ec_jwk' is loaded
from jose import jwe
plaintext_data = "This is a secret message."
jwe_header = {
    "alg": "ECDH-ES",
    "enc": "A256CBC-HS512",
    "kid": recipient_public_ec_jwk["kid"]
}
encrypted_jwe = jwe.encrypt(plaintext_data, recipient_public_ec_jwk, jwe_header)
print("Encrypted JWE:", encrypted_jwe)

Decrypting JWE (Recipient's Role): The recipient decrypts the JWE using their private JWK.

# Assuming 'recipient_private_ec_jwk' is loaded
from jose import jwe
# In a real scenario, you'd load recipient_private_ec_jwk from secure storage.
decrypted_payload = jwe.decrypt(encrypted_jwe, recipient_private_ec_jwk)
print("Decrypted Payload:", decrypted_payload.decode('utf-8'))

Integration with an API Gateway

An API gateway serves as the crucial enforcement point for security policies in a modern microservices architecture. It acts as the first line of defense, intercepting all incoming requests to backend APIs. One of its most critical functions is to validate authentication and authorization tokens, often in the form of JWTs.

When a client sends an API request with a JWT in its authorization header, the gateway intercepts this request. It then proceeds to: 1. Extract JWT: Pull the JWT from the Authorization header. 2. Retrieve JWKS: Fetch the public key set (JWKS) from the configured identity provider's .well-known/jwks.json endpoint. For performance, gateways typically cache this JWKS, refreshing it periodically. 3. Validate Signature: Using the kid from the JWT header, the gateway selects the correct public key from the cached JWKS and verifies the JWT's digital signature. This ensures the token's authenticity and integrity. 4. Validate Claims: Beyond signature verification, the gateway also validates other JWT claims, such as exp (expiration time), nbf (not before time), aud (audience), and iss (issuer), to ensure the token is still valid and intended for the current service. 5. Authorize Request: Based on the validated claims (e.g., scopes, roles), the gateway determines if the client is authorized to access the requested API endpoint. 6. Forward Request: If all validations pass, the gateway then forwards the request, often with processed claims injected as headers, to the appropriate backend API service. If validation fails, the gateway rejects the request, preventing unauthorized access.

This process highlights the immense value of offloading JWT validation to the API gateway. It centralizes security logic, ensures consistent enforcement across all APIs, reduces the burden on individual backend services, and simplifies key management by allowing backend services to trust the gateway's validation.

A robust API gateway like APIPark is designed precisely for this kind of critical function, providing efficient and secure management of API traffic, including comprehensive JWT validation capabilities. APIPark, as an open-source AI gateway and API management platform, simplifies the integration and deployment of AI and REST services. It offers a unified management system for authentication and cost tracking across over 100 AI models. Its end-to-end API lifecycle management capabilities ensure that APIs are designed, published, invoked, and decommissioned securely and efficiently. By centralizing operations like traffic forwarding, load balancing, and especially JWT validation, APIPark abstracts away much of the underlying complexity. This allows developers to focus on their core business logic, confident that all API calls are properly authenticated and authorized through a high-performance gateway that leverages standards like JWK for its security mechanisms. APIPark's ability to achieve over 20,000 TPS on modest hardware also means that this robust security layer does not come at the cost of performance, supporting cluster deployment to handle large-scale traffic with ease. Its detailed API call logging and powerful data analysis features further enhance security monitoring and troubleshooting, making it an ideal choice for managing secure API ecosystems.

The successful implementation of JWK, especially when integrated with an API gateway, transforms complex cryptographic key management into a standardized, scalable, and highly secure process, enabling the seamless and protected flow of data across modern distributed systems.

Advanced JWK Concepts and Best Practices for Secure Management

Mastering JWK extends beyond understanding its basic structure and typical applications; it involves adopting advanced concepts and rigorous best practices to ensure the highest levels of security and operational efficiency. The lifecycle of cryptographic keys is inherently dynamic, and neglecting proper management can introduce significant vulnerabilities.

Key Rotation: A Crucial Security Practice

Key rotation is arguably one of the most critical security practices for cryptographic keys. It involves regularly replacing old cryptographic keys with new ones. The primary reasons for key rotation are: * Mitigating Compromise: If a key is compromised, limiting its lifespan reduces the window of opportunity for attackers to exploit it. Even if a compromise goes undetected, an expired key renders the leaked information useless for future attacks. * Limiting Data Exposure: The amount of data encrypted or signed with a single key should be limited. In the event of a key compromise, only data associated with that key's operational period is at risk. * Compliance Requirements: Many regulatory and compliance standards (e.g., PCI DSS, HIPAA) mandate regular key rotation.

Graceful Rotation Strategies using JWKS: For keys used in digital signatures (like those for JWTs), key rotation must be handled gracefully to avoid disrupting services. A common strategy involves: 1. Generate New Key: Generate a new key pair (e.g., RSA or EC) with a unique kid. 2. Add to JWKS: Publish the public component of the new key in the JWKS endpoint alongside existing keys. The JWKS will now contain both the old and new public keys. 3. Start Signing with New Key: Configure the identity provider or signing service to begin signing all new JWTs with the new private key. 4. Deprecate Old Key: Continue to include the old public key in the JWKS for a defined "grace period." During this period, services (like an API gateway) can still validate tokens signed with the old key. This is crucial because tokens signed with the old key might still be in circulation (e.g., refresh tokens or long-lived access tokens). 5. Remove Old Key: After the grace period (which should be long enough to account for the maximum lifetime of tokens signed with the old key), the old public key can be removed from the JWKS.

This phased approach ensures that consuming applications (relying parties, resource servers, API gateways) can seamlessly transition to using the new key without service interruptions, as they can always find the correct public key for validation in the JWKS. The kid parameter plays a vital role here, allowing verifiers to quickly select the appropriate key from the set.

Key Identification (kid): Precision in Key Selection

The kid (Key ID) parameter in a JWK (and often in a JWS/JWE header) is invaluable for identifying specific keys within a JWK Set. While optional, it is highly recommended for any system managing multiple keys.

  • Uniqueness: Each kid within a JWKS must be unique. Common strategies for generating kids include UUIDs, sequential numbers, or cryptographic hashes of the public key itself.
  • Immutability: Once assigned to a key, a kid should generally not change.
  • Benefits: kid simplifies key management by allowing clients to specify which key was used for a cryptographic operation without having to transmit the entire key itself. This is particularly efficient for API gateways, which can quickly look up the correct public key from a cached JWKS using the kid in an incoming JWT's header. It prevents ambiguity when multiple keys of the same type or algorithm are present.

Key Usage (use): Enforcing Purpose-Built Keys

The use (Public Key Use) parameter specifies the intended application of a public key. The two defined values are: * "sig": The key is used for digital signature verification. * "enc": The key is used for encryption.

While not strictly enforced by all libraries, explicitly setting use in a JWK is a strong security practice. It adheres to the principle of least privilege by ensuring keys are used only for their designated purpose. For instance, a private key used for signing should ideally not also be used for decryption, even if mathematically possible with certain algorithms (like RSA). Separating keys by their purpose helps limit the impact of a compromise; if a signing key is exposed, it doesn't automatically mean an encryption key is also compromised, thereby segmenting the risk. An API gateway or client application verifying a JWT might check the use parameter of the retrieved JWK to ensure it's indeed intended for signature verification.

Algorithmic Parameters (alg): Specifying Strong Cryptography

The alg (Algorithm) parameter indicates the cryptographic algorithm intended for use with the key. For signing, examples include RS256 (RSA PKCS#1 v1.5 with SHA-256) or ES384 (ECDSA with P-384 and SHA-384). For encryption, it might be RSA-OAEP-256.

  • Security: Always choose strong, modern cryptographic algorithms. Avoid deprecated or weak algorithms (e.g., HS256 for JWTs if using a shared secret is not desired, or algorithms with known vulnerabilities).
  • Consistency: The alg specified in the JWK should be consistent with the alg declared in the JWS/JWE header to prevent downgrade attacks where an attacker might try to force a weaker algorithm. Verifying libraries should strictly check this consistency.

Secure Storage and Lifecycle Management

The security of your cryptographic keys is paramount. Even with JWK's excellent interoperability, sloppy storage negates its benefits.

  • Private Keys: Private JWKs (containing d for RSA/EC or k for symmetric) must never be exposed publicly. They should be stored in:
    • Hardware Security Modules (HSMs): Dedicated physical devices that generate, store, and protect cryptographic keys. They provide the highest level of security.
    • Key Management Systems (KMS): Cloud-based services (AWS KMS, Azure Key Vault, Google Cloud KMS) or on-premise solutions that securely store and manage cryptographic keys, often integrated with HSMs.
    • Secure Secrets Managers: Solutions like HashiCorp Vault or Kubernetes Secrets (when properly encrypted) for application-specific keys.
    • Encrypted Filesystems: As a last resort for less critical systems, but with robust access controls and encryption at rest.
  • Public Keys: While public JWKs can be exposed, they should be served over HTTPS to ensure their integrity during transmission.
  • Access Controls: Implement strict access controls (least privilege) for all key management systems. Only authorized personnel or services should be able to access, generate, or revoke keys.
  • Audit Trails: Maintain comprehensive audit logs of all key management operations, including key generation, access, use, rotation, and deletion. This is crucial for security monitoring and forensic analysis.
  • Revocation Procedures: Establish clear and efficient procedures for revoking compromised or expired keys. For JWT signing keys, this involves removing them from the JWKS endpoint immediately, although active tokens signed with the revoked key may still be valid until their expiration.

Public vs. Private Keys in JWK: A Clear Distinction

It's vital to differentiate between public and private components within a JWK. * Public JWKs: Contain only the public parameters (e.g., n, e for RSA; crv, x, y for EC). These are safe to distribute widely, typically via JWKS endpoints. They are used for signature verification and encryption. * Private JWKs: Contain both public and private parameters (e.g., d for RSA/EC, or k for symmetric). These are highly sensitive and must be kept strictly confidential. They are used for signing and decryption.

An API gateway will always use public JWKs for verifying tokens, never private ones. This fundamental distinction is critical for maintaining the security of the entire cryptographic system. By diligently applying these advanced concepts and best practices, organizations can build a robust, resilient, and secure key management infrastructure around JWK, safeguarding their digital assets against an evolving threat landscape.

JWK in the Context of Identity and Access Management (IAM)

JSON Web Key (JWK) plays an absolutely pivotal role in modern Identity and Access Management (IAM) systems, particularly within the ecosystem of OAuth 2.0 and OpenID Connect (OIDC), as well as in securing interactions within complex microservices architectures. These protocols and architectural patterns have become the de facto standards for authentication and authorization on the web, and their reliance on JWK underscores the format's importance in establishing trust and interoperability.

OAuth 2.0 and OpenID Connect: The Bedrock of Web Identity

OAuth 2.0 is an authorization framework that allows a user to grant a third-party application limited access to their resources on a resource server, without sharing their credentials. OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0, providing a simple identity layer that enables clients to verify the identity of the end-user based on the authentication performed by an Authorization Server, and to obtain basic profile information about the end-user in an interoperable and REST-like manner.

In both OAuth 2.0 and OIDC, security tokens – specifically JSON Web Tokens (JWTs) – are extensively used. * ID Tokens (OIDC): These JWTs carry claims about the authenticated user and are signed by the OpenID Provider (the Authorization Server). Relying Parties (client applications) need to verify the signature of these ID Tokens to establish the user's identity. * Access Tokens (OAuth 2.0, often JWTs): These JWTs grant access to specific resources and are signed by the Authorization Server. Resource Servers (your APIs) need to verify the signature and validity of these Access Tokens before granting access to protected resources.

How JWK facilitates Trust: The entire trust model in OAuth 2.0 and OIDC, when JWTs are used, hinges on JWK. 1. Identity Provider (IdP) / Authorization Server: The IdP generates a cryptographic key pair (e.g., RSA or EC) and uses its private key to sign the JWTs it issues. To enable clients and resource servers to verify these signatures, the IdP exposes its public keys as a JWK Set (JWKS) at a well-known URL, typically https://{your-idp-domain}/.well-known/jwks.json. This endpoint is often discoverable via the OIDC Discovery Endpoint. 2. Relying Party / Resource Server (and API Gateway): When a client application or resource server receives an ID Token or Access Token, it follows a specific verification flow: * It first retrieves the JWKS from the IdP's well-known endpoint. * It extracts the kid and alg from the JWT's header. * It then searches the retrieved JWKS for a public key that matches the kid and alg specified in the JWT header. * Finally, it uses this public JWK to verify the JWT's signature. If the signature is valid, and other claims (like expiration, issuer, audience) are also valid, the token is considered trustworthy.

This mechanism ensures that only tokens legitimately issued and signed by the trusted IdP are accepted. JWK's standardized format makes this complex key exchange and verification process remarkably straightforward and interoperable across different vendors and implementations of OAuth 2.0 and OIDC. It eliminates the need for manual key exchange or proprietary key formats, solidifying its role as the backbone of modern web identity.

Microservices Architectures: Decentralized Trust Verification

The rise of microservices architectures has introduced new challenges and requirements for authentication and authorization. In a system composed of dozens or hundreds of independent services, establishing trust between these services efficiently and securely is paramount. JWTs, underpinned by JWK, offer an elegant solution for service-to-service authentication.

  • Service A calls Service B: When one microservice (Service A) needs to call another microservice (Service B), Service A can obtain or generate a JWT that identifies itself (or the end-user it's acting on behalf of). This JWT is then signed using a private key (often managed by an internal identity service or an internal CA).
  • Verification by Service B: Service B, upon receiving the request with the JWT, needs to verify its authenticity. Instead of relying on a centralized authentication service for every call (which could introduce latency and a single point of failure), Service B can use the public JWKS of the internal identity service to verify the JWT's signature locally. This allows for decentralized trust verification, where each service can independently validate the token.

The Role of an API Gateway: In a microservices environment, an API gateway often serves as a critical central enforcement point for these security policies. While individual microservices can perform local JWT validation, it is often more efficient and secure to delegate this responsibility to the gateway.

  1. Edge Validation: The API gateway can perform the initial, comprehensive JWT validation (signature, claims, expiration) using the public JWKS from the IdP. This protects the backend services from invalid or malicious tokens, as only legitimate requests are forwarded.
  2. Internal Token Generation/Augmentation: For internal service-to-service communication, the gateway might generate new JWTs or augment existing ones with additional claims, signing them with its own private key (or a key from an internal signing service).
  3. Policy Enforcement: The gateway enforces granular authorization policies based on the validated JWT claims, routing requests to specific services only if the user or service has the necessary permissions.

By centralizing and offloading JWT validation, the API gateway simplifies the development of individual microservices, allowing them to trust that any incoming request has already been authenticated and authorized. This not only improves security by reducing the attack surface on backend services but also enhances performance and scalability by distributing the validation workload. JWK's standardized format makes this gateway-centric approach to API security robust and interoperable, regardless of the underlying language or framework used by the microservices themselves. The entire ecosystem of identity, access, and secure communication relies heavily on the elegant simplicity and cryptographic strength provided by JWK.

Challenges and Considerations in JWK Implementation

While JSON Web Key (JWK) offers undeniable advantages in standardizing cryptographic key management and enhancing interoperability, its implementation is not without its challenges and crucial considerations. Overlooking these aspects can lead to vulnerabilities, operational inefficiencies, or unexpected disruptions. A comprehensive understanding of potential pitfalls is essential for building a truly secure and robust system.

Complexity of Key Management

Despite JWK simplifying the format of keys, the inherent complexity of managing cryptographic keys persists. This includes: * Lifecycle Management: Secure key generation, distribution, storage, rotation, and revocation require meticulous planning and execution. Errors at any stage can have catastrophic consequences. While JWK facilitates these operations through standardization, it doesn't automate the strategic decisions or the secure handling of private key material. * Algorithm Selection: Choosing appropriate cryptographic algorithms and key lengths (e.g., RSA 2048/3072, EC P-256/P-384) requires cryptographic expertise. Using weak or outdated algorithms, even with a perfectly formatted JWK, renders the entire security chain vulnerable. * Key Identification (kid) Strategy: While simple, defining a robust and consistent kid generation and management strategy is important. This includes ensuring uniqueness, avoiding collisions, and considering whether kids should be human-readable or opaque identifiers. * Cross-System Consistency: In large organizations, multiple teams might manage keys. Ensuring consistent JWK usage, kid strategies, and rotation policies across all teams can be a significant coordination challenge.

Performance Impact

Fetching and parsing JWKS, especially in high-traffic scenarios, can introduce performance overhead if not handled efficiently. * Frequent JWKS Retrieval: If an API gateway or resource server fetches the JWKS from an identity provider for every incoming JWT, it will lead to significant latency due to network calls and JSON parsing. * Caching Strategies: To mitigate this, robust caching mechanisms are essential. The JWKS should be fetched once and cached, with a clear strategy for cache invalidation or refresh. The Cache-Control header in the JWKS endpoint's HTTP response can guide this. However, stale caches can lead to verification failures if a key is rotated or revoked prematurely without the cache being updated. * Key Lookup Efficiency: Even with a cached JWKS, the process of looking up the correct key by kid must be efficient. Using appropriate data structures (e.g., hash maps) for JWK storage in memory is crucial.

Interoperability Issues (Despite Standardization)

While JWK is a standard, minor implementation differences or ambiguities can still arise between different cryptographic libraries or platforms. * Optional Parameters: Different libraries might have varying default behaviors or requirements for optional JWK parameters (e.g., use, alg). This can lead to subtle mismatches if not explicitly configured. * Base64url Encoding: Strict adherence to base64url encoding rules is critical. Minor deviations can lead to parsing errors. * Algorithm Support: Not all libraries support all alg values or all curve types for EC keys. Developers must ensure their chosen libraries are compatible with the algorithms used by their identity provider. * Error Handling: Robust error handling for malformed JWKs, missing kids, or network issues when fetching JWKS is essential to prevent application crashes or security bypasses.

Security Vulnerabilities from Misconfiguration

JWK itself is secure, but misconfigurations during implementation can create severe vulnerabilities. * Weak Algorithms: Using weak or deprecated algorithms (e.g., HS256 with a public key, or RSA keys with insufficient bit length) can make signatures easily forgeable or encrypted data easily decipherable. * Private Key Exposure: The most critical vulnerability is the accidental exposure of private JWKs. This could be due to insecure storage, improper environment variable management, or logging sensitive key material. An exposed private key allows attackers to impersonate the identity provider, sign forged tokens, or decrypt confidential data. * none Algorithm Abuse: The none algorithm (indicating no signature) in JWTs has been a source of vulnerability in the past. While modern libraries are typically hardened against this, it's a reminder that developers must carefully configure their verification logic to explicitly reject unsigned tokens when a signature is expected. * Lack of kid Verification: If an API gateway or client doesn't properly verify the kid in the JWT header against the available JWKS, an attacker might be able to trick the system into using an incorrect (potentially weaker or attacker-controlled) public key. * Outdated Libraries: Using outdated cryptographic libraries can expose systems to known vulnerabilities and bypasses. Regular updates are crucial.

Scalability Concerns

Managing JWKs across distributed systems, especially those with multiple identity providers or microservices, can pose scalability challenges. * Decentralized Key Management: In very large, decentralized architectures, managing JWKs from multiple issuers becomes complex. Orchestrating the fetching, caching, and rotation of multiple JWKS endpoints requires sophisticated gateway configurations or specialized key management solutions. * Microservice Deployment: Ensuring that every microservice has access to the correct and up-to-date JWKS, whether directly or via an API gateway, requires careful deployment and configuration management. * High Availability: The JWKS endpoint itself must be highly available and performant, as it is a critical dependency for all consuming services.

Addressing these challenges requires a disciplined approach, continuous monitoring, and a deep understanding of cryptographic principles. Developers and security architects must not only understand how JWK works but also how to secure its implementation and integrate it responsibly into their overall security architecture, especially within the critical path enforced by an API gateway.

Conclusion

The journey through the intricacies of JSON Web Key (JWK) reveals it as far more than just another data format; it is a foundational pillar supporting the modern architecture of digital security. We began by acknowledging the historical fragmentation and operational complexities inherent in traditional cryptographic key management, challenges that often hindered interoperability and increased security risks in an increasingly interconnected world. The need for a standardized, web-friendly approach was clear, and JWK emerged as the elegant solution.

JWK's design, rooted in the simplicity and ubiquity of JSON, offers an unparalleled degree of human readability and machine parsability. By providing a structured and unambiguous way to represent cryptographic keys—whether they are RSA, Elliptic Curve, or symmetric—JWK has eliminated many of the conversion headaches and interoperability barriers that plagued older formats. Its key components, such as kty, kid, use, and alg, furnish crucial metadata that informs consuming applications about the key's type, identity, intended purpose, and cryptographic algorithm, thereby streamlining cryptographic operations.

The introduction of the JWK Set (JWKS) further amplifies JWK's utility, providing a robust mechanism for managing collections of keys. This is particularly vital for dynamic environments demanding graceful key rotation, supporting multiple algorithms, or catering to diverse client requirements. Identity providers leveraging JWKS endpoints have effectively democratized key discovery, enabling API gateways and client applications to securely and automatically retrieve public keys for signature verification, a process that is central to the trust models of OAuth 2.0 and OpenID Connect.

We explored how JWK underpins critical web security protocols: JSON Web Signatures (JWS) for ensuring data integrity and authenticity, JSON Web Encryption (JWE) for safeguarding confidentiality, and JSON Web Tokens (JWT) as the composite, widely adopted standard for authentication and authorization. In each instance, JWK provides the essential cryptographic key material, enabling these protocols to function securely and interoperably. Practical implementation guidance, including conceptual code examples for key generation, signing, verification, encryption, and decryption, showcased how modern libraries abstract away complexities, making JWK integration accessible to developers. The pivotal role of an API gateway in this ecosystem was highlighted, demonstrating how robust platforms like APIPark leverage JWKS for efficient, centralized JWT validation, thereby offloading security concerns from backend services and enhancing overall system security and performance.

Finally, we delved into advanced concepts and best practices, emphasizing the critical importance of regular key rotation, the strategic use of kid and use parameters, the selection of strong cryptographic algorithms, and the absolute necessity of secure key storage and lifecycle management. While JWK significantly simplifies key representation, the inherent management of cryptographic keys remains a complex and critical task, demanding meticulous attention to detail, adherence to security principles, and proactive mitigation of potential challenges like performance impacts and misconfigurations.

In conclusion, JWK stands as an indispensable standard in the secure digital landscape. It provides the common language for cryptographic keys, fostering interoperability, enhancing security, and simplifying complex operations across disparate systems. As digital interactions continue to proliferate and evolve, mastering JWK is not just a technical skill; it is a strategic imperative for any organization committed to building secure, scalable, and resilient APIs and applications in an increasingly interconnected world. Its elegance and effectiveness ensure that the digital keys of tomorrow will continue to unlock innovation without compromising trust.

Frequently Asked Questions (FAQ)

1. What is a JSON Web Key (JWK) and why is it important?

A JSON Web Key (JWK) is a standardized JSON object that represents a cryptographic key. It's crucial because it provides a uniform, human-readable, and machine-parsable format for cryptographic keys across web applications and services. This standardization significantly simplifies key exchange, storage, and usage, improving interoperability and security compared to older, fragmented key formats. JWK underpins modern security protocols like JSON Web Tokens (JWT) for authentication and authorization.

2. How does a JWK Set (JWKS) work and why is it used with an API Gateway?

A JWK Set (JWKS) is a JSON object containing an array of JWK objects. It's used to manage and distribute multiple cryptographic keys, especially for services that use key rotation or support various algorithms. An API gateway heavily relies on JWKS. When a client sends a request with a JWT, the gateway fetches the public JWKS from the identity provider (often from a .well-known/jwks.json endpoint). It then uses the kid (Key ID) from the JWT header to find the corresponding public key in the JWKS and verifies the JWT's signature. This centralizes security enforcement, offloads validation from backend services, and streamlines key management.

3. What are the key parameters within a JWK and what do they signify?

Key parameters within a JWK include: * kty (Key Type): Identifies the cryptographic algorithm family (e.g., "RSA", "EC", "oct"). * kid (Key ID): A unique identifier for the key, crucial for selecting a specific key from a JWKS. * use (Public Key Use): Indicates the key's intended purpose (e.g., "sig" for signature verification, "enc" for encryption). * alg (Algorithm): Specifies the cryptographic algorithm intended for use with the key (e.g., "RS256", "ES256"). * Key-specific parameters: Such as n and e for RSA (modulus and public exponent), crv, x, and y for EC (curve and coordinates), or k for symmetric keys. These parameters hold the actual mathematical components of the key.

4. What is key rotation, and why is it a best practice for JWKs?

Key rotation is the practice of regularly replacing existing cryptographic keys with new ones. It's a critical best practice because it limits the impact of a potential key compromise, reduces the amount of data secured by a single key, and helps meet compliance requirements. For JWKs, graceful key rotation involves adding new public keys to the JWKS endpoint, gradually phasing out old keys, and ensuring that consuming services (like an API gateway) can still validate tokens signed with older keys during a defined grace period before the old key is finally removed.

5. How can JWKs enhance the security of an API ecosystem?

JWKs significantly enhance API security by: * Standardizing Key Representation: Ensures interoperability between different systems and APIs, making key exchange and validation seamless. * Enabling Robust JWT Validation: Serves as the backbone for verifying JWTs (used for authentication/authorization) by providing a discoverable source for public signing keys. * Facilitating Key Management: Simplifies key rotation and lifecycle management through JWKS, allowing for dynamic updates without service disruption. * Centralizing Security: When integrated with an API gateway, JWKs allow the gateway to perform comprehensive, centralized authentication and authorization checks at the network edge, protecting backend APIs more effectively. * Improving Auditing and Compliance: Standardized key formats and management practices contribute to better audit trails and easier compliance with security regulations.

🚀You can securely and efficiently call the OpenAI API on APIPark in just two steps:

Step 1: Deploy the APIPark AI gateway in 5 minutes.

APIPark is developed based on Golang, offering strong product performance and low development and maintenance costs. You can deploy APIPark with a single command line.

curl -sSO https://download.apipark.com/install/quick-start.sh; bash quick-start.sh
APIPark Command Installation Process

In my experience, you can see the successful deployment interface within 5 to 10 minutes. Then, you can log in to APIPark using your account.

APIPark System Interface 01

Step 2: Call the OpenAI API.

APIPark System Interface 02
Install APIPark – it’s free
Previous

Mistral Hackathon: Innovate, Code, Conquer AI

 Next

Practical Gcloud Container Operations List API Example