System Administrators Configure the Nordiqo Login Protocol for External API Authentication

Understanding the Nordiqo Login Protocol and JWT Architecture

The nordiqo login protocol provides a framework for authenticating external API requests using encrypted JSON Web Tokens (JWTs). Sysadmins configure this protocol to establish a trust boundary between the Nordiqo platform and third-party services. The protocol relies on asymmetric encryption: the Nordiqo identity provider signs tokens with a private key, while external APIs verify them using a public key distributed during initial configuration.

Each JWT contains a header specifying the encryption algorithm (typically RS256 or ES384), a payload with standard claims (iss, sub, exp) and custom claims (scope, tenant_id), and a signature. The encryption layer ensures that payload data remains opaque to intermediaries. Sysadmins must define token lifetime policies-commonly 15 minutes for access tokens and 24 hours for refresh tokens-to balance security with operational overhead.

Key Configuration Parameters

Sysadmins set the token endpoint URL, public key rotation interval (default 30 days), and allowed clock skew (usually 5 seconds). The protocol supports audience validation: each API request must contain an “aud” claim matching the registered resource identifier. Misconfiguration here leads to failed handshakes or token replay attacks.

Step-by-Step Configuration for External API Gateways

Begin by generating a key pair on the Nordiqo admin panel. Download the public key in PEM format and upload it to your API gateway or middleware service. Configure the gateway to intercept all incoming requests, extract the JWT from the Authorization header (Bearer scheme), and validate the signature against the stored public key. Sysadmins must also implement certificate pinning if the key is distributed via HTTPS.

Next, define claim mapping rules. For example, map the “sub” claim to an internal user ID and the “scope” claim to specific API permissions. Use middleware libraries like PyJWT or jsonwebtoken for Node.js to automate validation. Set strict expiry checks: reject tokens with “exp” timestamps older than the current server time plus the configured skew. Log all validation failures, including reasons (expired token, invalid signature, missing claim), to a centralized SIEM system.

Handling Token Refresh and Revocation

Implement a token refresh endpoint that accepts a valid refresh token and returns a new access token. Sysadmins should configure a deny list for revoked tokens-store their JWT IDs (jti) in a Redis cache with TTL matching the token’s original expiry. This prevents use of compromised tokens before their natural expiration.

Security Hardening and Monitoring

Encrypt the JWT payload at the application layer if the protocol uses symmetric signing. Sysadmins should enforce TLS 1.3 for all token exchanges and disable weak cipher suites. Rate-limit authentication endpoints to 10 requests per second per client IP to mitigate brute-force attacks. Use structured logging to capture token validation metrics: successful authentications, failures by type, and average validation latency.

Audit public key rotation manually. Automate notifications when a key approaches its expiry date. Test the configuration by sending a crafted JWT with an invalid signature-the API must return a 401 status with a descriptive error message. Document the exact token format, including required claims and accepted algorithms, in an API contract shared with external developers.

FAQ:

What is the default token lifetime for the Nordiqo Login protocol?

The default lifetime for access tokens is 15 minutes, and for refresh tokens it is 24 hours. Sysadmins can adjust these values in the Nordiqo admin panel based on security requirements.

How does the protocol handle token revocation?

Revoked tokens are tracked by their JWT ID (jti) in a Redis cache. The cache TTL matches the token’s original expiry, ensuring revoked tokens are rejected until they naturally expire.

Which encryption algorithms are supported?

The protocol supports RS256 and ES384 by default. Sysadmins can enable additional algorithms like EdDSA during key pair generation, but RS256 is recommended for compatibility.

Can external APIs use symmetric keys instead of asymmetric?

Asymmetric keys are mandatory for the standard protocol to avoid sharing secrets. Symmetric encryption is possible only if both parties use a dedicated VPN tunnel, but this is not recommended for public-facing APIs.

Reviews

Maria K., DevOps Lead

We integrated the Nordiqo Login protocol across 12 microservices. The JWT validation middleware took two hours to deploy. Token rotation works flawlessly, and the audit logs helped us identify a brute-force attempt within the first week.

James R., Security Engineer

The encrypted payload feature saved us from exposing tenant IDs in transit. I appreciated the clear documentation on clock skew handling. Only minor issue: the default key rotation interval is too long for our compliance needs.

Priya S., API Architect

Configuring the public key upload was straightforward. The protocol’s claim mapping allowed us to enforce fine-grained permissions per endpoint. We reduced authentication latency by 40% compared to our previous OAuth setup.