Allow configuring the signing algorithm for new APIs

[scraymondjr]

Describe the problem you'd like to have solved

The create API HTTP documentation describes field signing_alg to allow configuring the signing algorithm of the access token for the API. This configuration does not appear to be available in the CLI.

Describe the ideal solution

Add a flag to allow specifying the signing-alg value, restricted to the allowed values of RS256 and HS256, for example create an API using the HS256 algorithm:

$ auth0 apis create --identifier ${ID} --signing-alg HS256

The response should include the secret on success:

=== {tenant}.us.auth0.com API created

  ID                                          {ID}                 
  NAME                                   {NAME}
  IDENTIFIER                          {AUDIENCE}
  TOKEN LIFETIME                3600                                      
  ALLOW OFFLINE ACCESS  ✗
  SIGNING SECRET                {SECRET PLAINTEXT}

Alternatives and current work-arounds

There is no alternative to this problem using the CLI. The signing algorithm cannot be changed once the API is created so the current behavior is all APIs created through the CLI will use RS256 algorithm.

[Widcket]

Hi @scraymondjr, thanks for raising this. I'll leave the issue open to track this.

[willvedd]

Update: We included this in v1.3.0 through the --signing-alg flag. Example:

auth0 apis create --name myapi --identifier http://my-api --token-lifetime 6100 --offline-access=false --scopes "letter:write,letter:read" --signing-alg "RS256"

Appreciate the patience!