Skip to main content
The key server is configured entirely via environment variables. No config files needed.

Required variables

Never set CORS_ORIGINS=* in production. The key server sends Access-Control-Allow-Origin with the exact matching origin and includes Vary: Origin for correct caching.

Authentication

Set one of these to enable JWT validation on key requests. If neither is set, the key server runs in development mode with no authentication. If both are set, AUTH_JWKS_URL takes precedence.

How auth works

  1. The player sends Authorization: Bearer <token> on every key request
  2. The key server validates the JWT signature
  3. If valid, the key is derived and returned
  4. If invalid or expired, the server returns 401 Unauthorized

Optional variables

Docker volumes

Health check

GET /health returns 200 OK with { "status": "ok" }. Use this for Docker health checks and load balancer probes.