JWT signing passphrase

Required. The key passphrase used to sign the JSON Web Token (JWT). Make sure you use different values for different projects and keep it in a secret place.

JWT signing algorithm

The algorithm used to sign the JWT. Supported values are: ES384, ES256, ES512, RS256, RS384, RS512. Default is RS256.

JWT authorization header

The name of the header storing the JWT. Default value is `Authorization`.

**Note** The `Authorization` header may be removed by web server. For example, if you use Apache, you may need to add this to your VirtualHost configuration: `SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1` Alternatively, you can use other header such as `X-Authorization`.

JWT expiry time (seconds)

The JWT expiry time. Default value is 600 (10 minutes). Users will need to authenticate again once the JWT expires.

Use JWK and JWKSet

Use [Web-Token](https://symfony.com/bundles/LexikJWTAuthenticationBundle/current/10-web-token.html)

Access-Control-Allow-Origin

The Access-Control-Allow-Origin header. If unspecified, default value is `*` so the REST API can be accessed by external apps.

Access-Control-Allow-Headers

The Access-Control-Allow-Headers header.

**Note** [CORS-safelisted request headers](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header) are always allowed and hence usually aren't listed in Access-Control-Allow-Headers (unless there is a need to circumvent the safelist [additional restrictions](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header#additional_restrictions)).