# `Ltix.JWK`
[🔗](https://github.com/DecoyLex/ltix/blob/main/lib/ltix/jwk.ex#L1)

RSA key pair generation and JWKS document building for LTI tool authentication.

Every LTI Advantage service call requires a signed JWT assertion. This module
generates the key pairs used for signing and builds the JWKS documents that
platforms use to verify signatures.

## Generating keys

    {private, public} = Ltix.JWK.generate_key_pair()

Store the private key in your `%Ltix.Registration{}` as `tool_jwk`. Serve
the public key from your JWKS endpoint.

## Building a JWKS endpoint response

    jwks = Ltix.JWK.to_jwks([current_public, previous_public])
    # => %{"keys" => [%{"kty" => "RSA", "kid" => "...", ...}, ...]}

Include multiple keys during rotation so platforms can verify with either.

## Options

* `:key_size` (`t:integer/0`) - RSA key size in bits (minimum 2048). The default value is `2048`.

# `generate_key_pair`

```elixir
@spec generate_key_pair(keyword()) :: {JOSE.JWK.t(), JOSE.JWK.t()}
```

Generate an RSA key pair for LTI tool authentication.

Returns `{private_jwk, public_jwk}`. The private key is suitable for
`registration.tool_jwk`. The public key goes on your JWKS endpoint.

Both keys share the same `kid` and include `alg: RS256` and `use: sig`.

## Examples

    {private, public} = Ltix.JWK.generate_key_pair()
    {private, public} = Ltix.JWK.generate_key_pair(key_size: 4096)

# `to_jwks`

```elixir
@spec to_jwks([JOSE.JWK.t()]) :: map()
```

Build a JWKS (JSON Web Key Set) map from a list of public JWKs.

Strips private key material from any key that still contains it, so it's
safe to pass private keys by accident.

## Examples

    {_private, public} = Ltix.JWK.generate_key_pair()
    jwks = Ltix.JWK.to_jwks([public])
    [key] = jwks["keys"]
    key["kty"]
    #=> "RSA"

---

*Consult [api-reference.md](api-reference.md) for complete listing*