Public Key + Private Key
Part of the authentication process requires managing a Public Key
+ Private Key
pair.
Private Key
The Private Key
remains solely in your possession and must be kept secret. This is what you will use to create the signed JSON Web Token (JWT) when authenticating with the API.
You’ll know that you are viewing a Private Key
if the content begins with:
-----BEGIN PRIVATE KEY-----
[content omitted]
-----END PRIVATE KEY-----
Security Considerations
Do not share the Private Key
via unsecured channels (e.g. email or instant messaging).
It is important to keep the Private Key
secret and not leak it through some kind of frontend, client-accessible JavaScript call.
- Similarly, do not commit the
Private Key
to your source code repository.
Public Key
The Public Key
is configured as part of an External Application
in the Users & Groups app within Banno. The back office administrator at your financial institution can do this for you in the Users & Groups section of Banno.
You’ll know that you are viewing a Public Key
if the content looks like this:
-----BEGIN PUBLIC KEY-----
[content omitted]
-----END PUBLIC KEY-----
Security Considerations
The Public Key
is used to verify that API requests which claim to be from your External Application
do in fact originate from your application.
Generating a Public Key + Private Key pair
Generating the Public Key + Private Key pair can be done in various ways on different platforms. One option is to use OpenSSL.
The key size should be generated with at least 2048 bits of size.
1) Create the Private Key
Command Line openssl genpkey -algorithm RSA -out private.pem
External Resource:
2) Create the Public Key in .PEM format
Command Line openssl rsa -in private.pem -outform PEM -pubout -out public.pem
External Resource: