jwk.generate
Mint a fresh JWK — asymmetric key types return both the public and
private projection in a single call; the oct type returns one object
(both slots reference it because symmetric keys have no split).
import { jwk } from '@exortek/jwk'
const { publicJwk, privateJwk } = await jwk.generate('EC', {
curve: 'P-256',
use: 'sig',
alg: 'ES256',
kid: 'signing-key-2026',
})Decoration fields (kid, use, alg, key_ops) are copied verbatim
onto both projections when provided — one call, no post-processing.
Signature
generate(kty: 'EC' | 'RSA' | 'OKP' | 'oct', options?): Promise<GeneratedKeyPair>| Field | Type | Notes |
|---|---|---|
publicJwk | object | Public projection; for oct this is the same reference as below. |
privateJwk | object | Contains d (EC / RSA / OKP) or k (oct). |
Kty × curve matrix
EC
Elliptic-curve keys (RFC 7518 §6.2 + RFC 8812 for secp256k1).
curve | Coordinate bytes | Common alg | Use case |
|---|---|---|---|
P-256 | 32 | ES256 | JWT default — the safe pick |
P-384 | 48 | ES384 | Higher security margin |
P-521 | 66 | ES512 | Maximum classical strength |
secp256k1 | 32 | ES256K | Bitcoin / Ethereum interop |
const { publicJwk, privateJwk } = await jwk.generate('EC', {
curve: 'P-256', // default
kid: 'ec-key-1',
use: 'sig',
alg: 'ES256',
})
// privateJwk: { kty:'EC', crv:'P-256', x:'…', y:'…', d:'…', kid, use, alg }Decoration fields
Any of the following are forwarded onto both projections:
kid— key identifier string.use—"sig"or"enc".alg— JOSE algorithm identifier (e.g.ES256,PS384,EdDSA).key_ops— array of operations. Must be consistent withusewhen both are set (seevalidate).
Errors
| Code | When |
|---|---|
UNSUPPORTED_KTY | kty not one of EC / RSA / OKP / oct. |
UNSUPPORTED_CURVE | curve not in the per-kty matrix above. |
INVALID_ARGUMENT | modulusLength under 2048 or bits under 128 (or non-8x). |
Last updated on