Features 1

• Add JWT and JWE payload type options for Action V2 targets (#11196, #11061)

  Introduced application-layer encryption for Action V2 payloads to prevent sensitive data exposure to intermediary infrastructure or logging systems. Customers can now configure targets to deliver payloads as JSON (default), JWT (signed), or JWE (signed and encrypted). This enables secure JIT migration workflows in high-security environments where passwords cannot flow through untrusted infrastructure in clear text.Key features:

  • New payload type configuration for targets: JSON, JWT, and JWE
  • API endpoints to upload and manage public keys for encryption
  • Support for RSA and Elliptic Curve (ECDSA) keys in PEM format
  • Optional expiration dates for encryption keys
  • Automatic key rotation and disabling capabilities
  • Uses AES256GCM for symmetric encryption
  • Clear error logging when no valid public key exists

  Database changes:

  • Added fingerprint column to authn_keys table
  • Dropped not null constraint on expiration in authn_keys table

  actions api console database security

Maintenance & Chores 1

• Refactor GetSignerOnce into separate package (#11196)

  Moved the `GetSignerOnce` functionality into its own package to prevent circular dependencies and improve code organization.

  core

Contributors 1