Authentication

New Authentication Model

The new authentication model ensures that private keys are maintained by the end-user. The overall process of creating and exchanging credentials is as follows:

• End user generates a nkey pair (seed and public key)
• End user shares the public portion of the keypair
• SAVA generates a jwt which will be required for connecting to the nats server
• End user creates a creds files combining the seed and jwt used to connecting
• End user uses the creds file to connect to the nats server

Installing NSC

NSC can be installed using the following command:

curl -L https://raw.githubusercontent.com/nats-io/nsc/master/install.py | python

NB: python can be replaced with python3 if required depending on your system configuration

nsc must be added to your $PATH env for the following commands to work. The above command will output the instructions.

Here is an example to add to using bash:

NSC: /root/.nsccli/bin/nsc
Now manually add /root/.nsccli/bin to your $PATH
Bash Example:
  echo 'export PATH="$PATH:/root/.nsccli/bin"' >> $HOME/.bashrc
  source $HOME/.bashrc

NB: Note that /root in the above example will be replaced with the current user's home directory

Generate an NKey Pair

Generate an Nkey pair using the following command:

nsc generate nkey -u

This will generate a Nkey pair consisting of a seed token and a public key as follows:

SUAETLJPP53NULSKWUBHKIKK2HVYGZW43NMMIPKNFXIFJXZWSHIT2QOYXI
UC6AIDQZZHETSQOUTTSIJLU65RMXSCW533TJKBRY4AR7GJR5XFKGIONO

The line starting with SU denotes that it is a seed token for a user. Keep this token for future use. Losing this will render the jwt useless

Share the public key with SAVA, who will generate and return a jwt which will complete the credentials.

Creating a creds file for connecting

Once the JWT is returned from SAVA, a creds file must be created in order to connect to the server. This is a simple text file, usually denoted with a .creds extension. The format of the file is as follows:

-----BEGIN NATS USER JWT-----
eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJOVlNSQTZHV09PQ0hVSEJXRE9RVTU0QkJCUUdINEJaM0dGVk1INktQQjRKWjczVjU1SlBRIiwiaWF0IjoxNzI0MzI4OTQ3LCJpc3MiOiJBQ0RHVlNDTEhGSElLNUhWSTNCVDRFNjRXWExCUFNZRVhJUTVPNkRPU0VFRUpRMkVCRzY2N0ZTSCIsIm5hbWUiOiJiZW50aG9zIiwic3ViIjoiVUEyNE82VVBSQUROSU80NVc3U0FXQzNUM1VLSUE0UDJEVjQ3V0xUUUVUNUlPWVpHUE9UTkRaN0YiLCJuYXRzIjp7InB1YiI6e30sInN1YiI6e30sImlzc3Vlcl9hY2NvdW50IjoiQUFVNUpNWklVUEFKRDZaNDJTV1RLQ1M0VE5HWVg1M1BGRk9SU1hITVg0Ukk2STdWWEdLVFRNVVAiLCJ0eXBlIjoidXNlciIsInZlcnNpb24iOjJ9fQ.CjE-_aPMEfeHTpmx0R0U1rVdOJ7VVHeyPPzOVvJ56Nsz93fo1eLAsxQ5sGkCKDZZbTW9SjhdhmOH1JGZe4FIBw
------END NATS USER JWT------

************************* IMPORTANT *************************
NKEY Seed printed below can be used to sign and prove identity.
NKEYs are sensitive and should be treated as secrets.

-----BEGIN USER NKEY SEED-----
SUAETLJPP53NULSKWUBHKIKK2HVYGZW43NMMIPKNFXIFJXZWSHIT2QOYXI
------END USER NKEY SEED------

*************************************************************

Replace the contents between -----BEGIN NATS USER JWT----- and ------END NATS USER JWT------ with the provided JWT

Additionally replace the contents between -----BEGIN USER NKEY SEED----- and ------END USER NKEY SEED------.

NB: note that this file format is very specific and the spacing should not be adjusted. To minimize the errors we suggest copying this template below and replacing the annotated sections.

Creds template

-----BEGIN NATS USER JWT-----
<jwt here>
------END NATS USER JWT------

************************* IMPORTANT *************************
NKEY Seed printed below can be used to sign and prove identity.
NKEYs are sensitive and should be treated as secrets.

-----BEGIN USER NKEY SEED-----
<nkseed: starts with SU>
------END USER NKEY SEED------

*************************************************************

Connecting

Connecting to the server remains the same as stated in the documentation.