App keys

AppKey is an entity that represents a key pair that can be used by an app to make a signed request to Contentful in order to issue an access token for a specific app installation.

The top-level jwk property holds a standard JSON Web Key. The following properties require constant values:

alg: "RS256"
kty: "RSA"
use: "sig"

As shown, the generated key must be a RSA key using the RS256 algorithm. To generate such a key pair, openssl (you may need to download a binary if you’re not on Mac or Linux) can be used:

$ openssl req -x509 -newkey rsa:4096 -nodes -batch -noout -keyout key.pem
$ openssl rsa -in key.pem -pubout -outform DER -out key.der.pub

The content of key.der.pub can be used as the first element of the x5c array. Please note:

the string needs to be encoded as a base64 string
Contentful never expects your private keys: make sure you’re uploading the public key!

The signature value is used as both kid and x5t. We will also use it as a globally unique key identifier within Contentful. To generate a signature use:

$ openssl dgst -binary -sha256 < key.der.pub | openssl base64 | sed 's/+/-/g; s/\//_/g; s/=*$//'

Limitations:

the same key pair cannot be used for more than one app
the limit of keys per app is 3 (which makes it possible to perform a rotation while keeping one backup key operational)

If you do not want to create your own key pair with openssl, we also offer the functionality to generate the key pair for you. It is important to note that we do not store any private keys on our side and only store the public key. We show the private key only once in the response of the POST request, so make sure that you store the private key and keep it safe. Once the response is lost, there is no other way to retrieve the private key.

Get all app keys

Create a new app key

To generate a new key pair, use the Create a new app key endpoint, passing the payload below:

{
  "generate": true
}

App key

Get an app key

Delete an app key