Update other places we reference key types to be more general where possible or specifically mention OKP/EdDSA where being general does not work

spwitt · spwitt · commit ff62975cf5a4 · 2025-12-18T10:25:06.000-06:00
diff --git a/astro/src/content/docs/apis/_event-types.mdx b/astro/src/content/docs/apis/_event-types.mdx
@@ -4,7 +4,7 @@ import AvailableSince from 'src/components/api/AvailableSince.astro';
 
 * `audit-log.create` - When an audit log is created <AvailableSince since="1.30.0" />
 * `event-log.create` - When an event log is created  <AvailableSince since="1.30.0" />
-* `jwt.public-key.update` - When a JWT RSA Public / Private keypair may have been changed
+* `jwt.public-key.update` - When a JWT signing Public / Private keypair may have been changed
 * `jwt.refresh` - When an access token is refreshed using a refresh token  <AvailableSince since="1.16.0" />
 * `jwt.refresh-token.revoke` - When a JWT Refresh Token is revoked
 * `kickstart.success` - When kickstart has successfully completed  <AvailableSince since="1.30.0" />
diff --git a/astro/src/content/docs/apis/_key-generate-post-request-body.mdx b/astro/src/content/docs/apis/_key-generate-post-request-body.mdx
@@ -22,15 +22,15 @@ import JSON from 'src/components/JSON.astro';
      * `HS512` - HMAC using SHA-512 hash algorithm
   </APIField>
   <APIField name="key.issuer" type="String" optional>
-    The issuer of the RSA or EC certificate.
+    The issuer of the certificate.
 
     If omitted, this value will default to the value of <InlineField>tenant.issuer</InlineField> on the default tenant.  For HMAC keys, this field does not apply and will be ignored if specified, and no default value will be set.
   </APIField>
   <APIField name="key.name" type="String" required>
     The name of the Key.
   </APIField>
   <APIField name="key.length" type="String" optional>
-    The length  of the RSA or EC certificate.  This field is required when generating RSA key types.
+    The length of the RSA or EC certificate.  This field is required when generating RSA key types.
 
     For RSA, possible values are: `2048`, `3072` or `4096`.
 
diff --git a/astro/src/content/docs/apis/_key-import-post-request-body.mdx b/astro/src/content/docs/apis/_key-import-post-request-body.mdx
@@ -21,7 +21,7 @@ import JSON from 'src/components/JSON.astro';
      * `HS512` - HMAC using SHA-512 hash algorithm
   </APIField>
   <APIField name="key.certificate" type="String" optional>
-    The certificate to import.  The `publicKey` will be extracted from the certificate.
+    The certificate to import. The `publicKey` will be extracted from the certificate.
   </APIField>
   <APIField name="key.kid" type="String" optional>
     The Key identifier 'kid'. When this value is omitted, one will be generated.
@@ -30,16 +30,16 @@ import JSON from 'src/components/JSON.astro';
     The name of the Key. It must be unique among all Keys.
   </APIField>
   <APIField name="key.publicKey" type="String" optional>
-    The Key public key.  Required if importing an RSA or EC key and a `certificate` is not provided.
+    The Key public key. If the key is only to be used for signing, only a private key is necessary and this field may be omitted. This field should be omitted when importing an HMAC key type.
   </APIField>
   <APIField name="key.privateKey" type="String" optional>
-    The Key private key.  Optional if importing an RSA or EC key. If the key is only to be used for token validation, only a public key is necessary and this field may be omitted.
+    The Key private key. If the key is only to be used for signature validation, only a public key is necessary and this field may be omitted. This field should be omitted when importing an HMAC key type.
   </APIField>
   <APIField name="key.secret" type="String" optional>
     The Key secret. This field is required if importing an HMAC key type.
   </APIField>
   <APIField name="key.type" type="String" optional>
-    The Key type.  This field is required if importing an HMAC key type, or if importing a public key / private key pair. The possible values are:
+    The Key type. This field is required if importing an HMAC key type, or if importing a public key / private key pair. The possible values are:
 
     * `EC`
     * `OKP` <AvailableSince since="1.62.0" />
diff --git a/astro/src/content/docs/apis/_key-response-body-base.mdx b/astro/src/content/docs/apis/_key-response-body-base.mdx
@@ -12,43 +12,43 @@ import JSON from 'src/components/JSON.astro';
     The algorithm used to generate the key.
   </APIField>
   <APIField name={ props.base_field_name + ".certificate" } type="String">
-    The RSA or EC X.509 certificate. This field is omitted for HMAC key types.
+    The X.509 certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation" } type="Map<String, Object>">
-    The RSA or EC certificate information. This field is omitted for HMAC key types.
+    The certificate information. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.issuer" } type="String">
-    The issuer of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The issuer of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.md5Fingerprint" } type="String">
-    The md5 fingerprint of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The md5 fingerprint of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.serialNumber" } type="String">
-    The serial number of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The serial number of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.sha1Fingerprint" } type="String">
-    The SHA-1 fingerprint of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The SHA-1 fingerprint of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.sha1Thumbprint" } type="String">
-    The SHA-1 thumbprint of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The SHA-1 thumbprint of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.sha256Fingerprint" } type="String">
-    The SHA-256 fingerprint of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The SHA-256 fingerprint of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.sha256Thumbprint" } type="String">
-    The SHA-256 thumbprint of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The SHA-256 thumbprint of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.subject" } type="String">
-    The subject of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The subject of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.validFrom" } type="Integer">
-    The UNIX time in milliseconds marking the start of the RSA or EC certificate validity period. This field is omitted for HMAC key types.
+    The UNIX time in milliseconds marking the start of the certificate validity period. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".certificateInformation.validTo" } type="Integer">
-    The UNIX time in milliseconds marking the expiration RSA or EC certificate. This field is omitted for HMAC key types.
+    The UNIX time in milliseconds marking the expiration certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".expirationInstant" } type="Integer">
-    The [instant](/docs/reference/data-types#instants) marking the expiration RSA or EC certificate. This field is omitted for HMAC key types.
+    The [instant](/docs/reference/data-types#instants) marking the expiration certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".hasPrivateKey" } type="Boolean">
     Because the private key will never be returned in the API response, this value will indicate if the private key is stored in FusionAuth. This field is omitted for HMAC key types.
@@ -60,7 +60,7 @@ import JSON from 'src/components/JSON.astro';
     The [instant](/docs/reference/data-types#instants) that the key was added to the FusionAuth database.
   </APIField>
   <APIField name={ props.base_field_name + ".issuer" } type="String">
-    The issuer of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The issuer of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".kid" } type="String">
     The key identifier 'kid'.
@@ -69,13 +69,13 @@ import JSON from 'src/components/JSON.astro';
     The [instant](/docs/reference/data-types#instants) that the key was updated in the FusionAuth database.
   </APIField>
   <APIField name={ props.base_field_name + ".length" } type="String">
-    The length of the RSA or EC certificate. This field is omitted for HMAC key types.
+    The length of the certificate. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".name" } type="String">
     The name of the key.
   </APIField>
   <APIField name={ props.base_field_name + ".publicKey" } type="String">
-    The RSA or EC certificate public key. This field is omitted for HMAC key types.
+    The certificate public key. This field is omitted for HMAC key types.
   </APIField>
   <APIField name={ props.base_field_name + ".type" } type="String">
     The key type. The possible values are:
@@ -96,6 +96,8 @@ import JSON from 'src/components/JSON.astro';
 <JSON title="Example RSA Key Response JSON" src="keys/rsa-response.json" />
 
 <JSON title="Example EC Key Response JSON" src="keys/ec-response.json" />
+
+<JSON title="Example EdDSA Key Response JSON" src="keys/eddsa-response.json" />
   
 </>}
 
diff --git a/astro/src/content/docs/apis/jwt.mdx b/astro/src/content/docs/apis/jwt.mdx
@@ -142,7 +142,7 @@ _Response Codes_
 
 ## Retrieve Public Keys
 
-This API is used to retrieve Public Keys generated by FusionAuth. These can be used to cryptographically verify JWTs signed with the corresponding RSA or ECDSA private key.
+This API is used to retrieve Public Keys generated by FusionAuth. These can be used to cryptographically verify JWTs signed with the corresponding private key.
 
 ### Request
 
diff --git a/astro/src/content/docs/extend/events-and-webhooks/events/index.mdx b/astro/src/content/docs/extend/events-and-webhooks/events/index.mdx
@@ -20,7 +20,7 @@ These are the events that FusionAuth generates that can be optionally consumed b
 
 * [Audit Log Create](/docs/extend/events-and-webhooks/events/audit-log-create) - when an audit log is created
 * [Event Log Create](/docs/extend/events-and-webhooks/events/event-log-create) - when an event log is created
-* [JWT Public Key Update](/docs/extend/events-and-webhooks/events/jwt-public-key-update) - when a JWT RSA Public / Private keypair used for signing may have been updated
+* [JWT Public Key Update](/docs/extend/events-and-webhooks/events/jwt-public-key-update) - when a JWT signing Public / Private keypair used for signing may have been updated
 * [JWT Refresh](/docs/extend/events-and-webhooks/events/jwt-refresh) - when an access token is refreshed using a refresh token
 * [JWT Refresh Token Revoke](/docs/extend/events-and-webhooks/events/jwt-refresh-token-revoke) - when a refresh token (or multiple tokens) are revoked
 * [Kickstart Success](/docs/extend/events-and-webhooks/events/kickstart-success) - when kickstart has successfully completed
diff --git a/astro/src/content/docs/extend/events-and-webhooks/signing.mdx b/astro/src/content/docs/extend/events-and-webhooks/signing.mdx
@@ -28,11 +28,12 @@ Configuring webhook signatures in FusionAuth consists of generating a key and co
 
 Keys are generated or imported from <Breadcrumb>Settings -> Key Master</Breadcrumb>. Webhooks can be signed with three types of keys
 
-* EC key - strongest cryptography, public key can be available
+* OKP (EdDSA) key - strongest cryptography, public key can be available
+* EC key - stronger cryptography, public key can be available
 * RSA key - strong cryptography, public key can be available
 * HMAC key - fast cryptography, requires manual key distribution
 
-EC and RSA keys allow you to make public keys available through the `/.well-known/jwks.json` endpoint, which facilitates key rotation. If your webhook listener cannot make outbound network connections or you prefer to manually configure your key in your webhook listener, HMAC keys are a good option.
+Asymmetric key types allow you to make public keys available through the `/.well-known/jwks.json` endpoint, which facilitates key rotation. If your webhook listener cannot make outbound network connections or you prefer to manually configure your key in your webhook listener, HMAC keys are a good option.
 
 For this example, we'll use an RSA key pair. More information on keys is available in the [Key Master Guide](/docs/operate/secure/key-master).
 
@@ -87,7 +88,7 @@ The [Webhook Testing](/docs/extend/events-and-webhooks#test-a-webhook) page prov
 
 [Rotating keys](/docs/operate/secure/key-rotation) regularly is an important part of a defense-in-depth strategy. The type of key used for signing webhook events and the method used for fetching that key determines the process for rotating keys.
 
-* Signatures validated using a public key (RSA or EC) where signature verification dynamically fetches public key from `.well-known/jwks.json` endpoint
+* Signatures validated using a public key where signature verification dynamically fetches public key from `.well-known/jwks.json` endpoint
   * Generate new key in FusionAuth
   * Update webhook signing key to use new key
   * Test
diff --git a/astro/src/content/docs/lifecycle/authenticate-users/login-api/json-web-tokens.mdx b/astro/src/content/docs/lifecycle/authenticate-users/login-api/json-web-tokens.mdx
@@ -80,13 +80,13 @@ FusionAuth provides three configuration locations for JWT signing:
 * an Application level setting
 * with [Entity Management](/docs/get-started/core-concepts/entity-management), each entity type can have a unique key
 
-FusionAuth supports configurations for HMAC, ECDSA (Elliptic Curve) or RSA based signing algorithms.
+FusionAuth supports configurations for HMAC, ECDSA (Elliptic Curve), EdDSA, or RSA based signing algorithms.
 
 Keys are managed in [Key Master](/docs/operate/secure/key-master) and can be generated or imported there.
 
-### ECDSA & RSA Signing
+### Asymmetric Signing
 
-If you are using FusionAuth in a hybrid environment where applications may be untrusted, asymmetric ECDSA or RSA signing is preferred.
+If you are using FusionAuth in a hybrid environment where applications may be untrusted, asymmetric signing using EdDSA, ECDSA, or RSA is preferred.
 
 Using this approach allows you to provide applications with a public key to verify the JWT signature while securing the private key in FusionAuth.
 
diff --git a/astro/src/content/docs/operate/secure/compliance.mdx b/astro/src/content/docs/operate/secure/compliance.mdx
@@ -17,7 +17,7 @@ Here is a non-exhaustive list of encryption FusionAuth uses:
 
 ### Signing
 
-FusionAuth signs the items below using various cryptographic signature algorithms including HMAC, RSA, and ECDSA:
+FusionAuth signs the items below using various cryptographic signature algorithms including HMAC, RSA, ECDSA, and EdDSA:
 
 * JWT signing
 * XML signing for SAML
diff --git a/astro/src/content/json/keys/eddsa-response.json b/astro/src/content/json/keys/eddsa-response.json
@@ -0,0 +1,29 @@
+{
+  "key": {
+    "algorithm": "Ed25519",
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIHsMIGfoAMCAQECEQDqdRGGNnhIwI8IEfDjwZN7MAUGAytlcDAYMRYwFAYDVQQD\nEw1mdXNpb25hdXRoLmlvMB4XDTI1MTIxODE2MDUyNVoXDTM1MTIxODE2MDUyNVow\nGDEWMBQGA1UEAxMNZnVzaW9uYXV0aC5pbzAqMAUGAytlcAMhAI+wTC3wU30tqiGR\n8RsFrAYl++dNZTRIdwUqPmMv3xeqMAUGAytlcANBANiOCGE+XoUorYo13gor1PWM\n6sL7j2oDBbSExzThihvYXyO7Lx7s8ZCgJ8rIcxgDQRJbhq1n5oxMAvGnzezDMwQ=\n-----END CERTIFICATE-----",
+    "certificateInformation": {
+      "issuer": "CN=fusionauth.io",
+      "md5Fingerprint": "74:19:09:95:D9:6F:52:D9:83:D5:CD:48:D2:26:34:A2",
+      "serialNumber": "00:EA:75:11:86:36:78:48:C0:8F:08:11:F0:E3:C1:93:7B",
+      "sha1Fingerprint": "AB:6D:71:A6:B6:36:BA:D3:00:7D:1D:E8:CB:08:25:6F:46:13:EF:51",
+      "sha1Thumbprint": "q21xprY2utMAfR3oywglb0YT71E",
+      "sha256Fingerprint": "1A:BE:72:43:9A:B6:06:D5:08:32:06:28:A8:1B:DF:73:A2:99:5E:82:FF:C4:A3:FD:F3:9B:5F:5F:80:4A:27:D4",
+      "sha256Thumbprint": "Gr5yQ5q2BtUIMgYoqBvfc6KZXoL_xKP985tfX4BKJ9Q",
+      "subject": "CN=fusionauth.io",
+      "validFrom": 1766073925573,
+      "validTo": 2081606725573
+    },
+    "expirationInstant": 2081606725573,
+    "hasPrivateKey": true,
+    "id": "ea751186-3678-48c0-8f08-11f0e3c1937b",
+    "insertInstant": 1766073925573,
+    "issuer": "fusionauth.io",
+    "kid": "q21xprY2utMAfR3oywglb0YT71E",
+    "lastUpdateInstant": 1766073925573,
+    "length": 32,
+    "name": "EdDSA using the Ed25519 parameter set",
+    "publicKey": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAj7BMLfBTfS2qIZHxGwWsBiX7501lNEh3BSo+Yy/fF6o=\n-----END PUBLIC KEY-----",
+    "type": "OKP"
+  }
+}
