Skip to Content
@exortek/jwkgenerate — mint fresh keys

jwk.generate

Mint a fresh JWK — asymmetric key types return both the public and private projection in a single call; the oct type returns one object (both slots reference it because symmetric keys have no split).

import { jwk } from '@exortek/jwk' const { publicJwk, privateJwk } = await jwk.generate('EC', { curve: 'P-256', use: 'sig', alg: 'ES256', kid: 'signing-key-2026', })

Decoration fields (kid, use, alg, key_ops) are copied verbatim onto both projections when provided — one call, no post-processing.

Signature

generate(kty: 'EC' | 'RSA' | 'OKP' | 'oct', options?): Promise<GeneratedKeyPair>
FieldTypeNotes
publicJwkobjectPublic projection; for oct this is the same reference as below.
privateJwkobjectContains d (EC / RSA / OKP) or k (oct).

Kty × curve matrix

Elliptic-curve keys (RFC 7518 §6.2 + RFC 8812 for secp256k1).

curveCoordinate bytesCommon algUse case
P-25632ES256JWT default — the safe pick
P-38448ES384Higher security margin
P-52166ES512Maximum classical strength
secp256k132ES256KBitcoin / Ethereum interop
const { publicJwk, privateJwk } = await jwk.generate('EC', { curve: 'P-256', // default kid: 'ec-key-1', use: 'sig', alg: 'ES256', }) // privateJwk: { kty:'EC', crv:'P-256', x:'…', y:'…', d:'…', kid, use, alg }

Decoration fields

Any of the following are forwarded onto both projections:

  • kid — key identifier string.
  • use"sig" or "enc".
  • alg — JOSE algorithm identifier (e.g. ES256, PS384, EdDSA).
  • key_ops — array of operations. Must be consistent with use when both are set (see validate).

Errors

CodeWhen
UNSUPPORTED_KTYkty not one of EC / RSA / OKP / oct.
UNSUPPORTED_CURVEcurve not in the per-kty matrix above.
INVALID_ARGUMENTmodulusLength under 2048 or bits under 128 (or non-8x).
Last updated on