fix(webapp): sign public JWTs with env.apiKey, not the raw header key

ericallam · ericallam · commit 2a63995b0eb0 · 2026-04-20T18:10:36.000+01:00
During the grace window after an API key rotation, a client calling
/api/v1/auth/jwt with their old (revoked but still valid) key would get
back a JWT that immediately failed validation, because signing used the
header key (old) while validation in jwtAuth.server.ts uses
environment.apiKey (new). Sign with the environment's canonical current
key instead so minted JWTs validate regardless of which accepted key was
used to authenticate the mint call. Works for dev/prod/preview — in the
PREVIEW branch path, findEnvironmentByApiKey already merges the parent's
current apiKey onto the returned env.
diff --git a/apps/webapp/app/routes/api.v1.auth.jwt.ts b/apps/webapp/app/routes/api.v1.auth.jwt.ts
@@ -36,8 +36,11 @@ export async function action({ request }: LoaderFunctionArgs) {
     ...parsedBody.data.claims,
   };
 
+  // Sign with the environment's current canonical key, not the raw header key,
+  // so JWTs minted with a revoked (grace-window) key still validate — validation
+  // in jwtAuth.server.ts uses environment.apiKey.
   const jwt = await internal_generateJWT({
-    secretKey: authenticationResult.apiKey,
+    secretKey: authenticationResult.environment.apiKey,
     payload: claims,
     expirationTime: parsedBody.data.expirationTime ?? "1h",
   });
