Skip to main content
POST
/
teams
/
mle
/
public_keys
curl https://production.methodfi.com/teams/mle/public_keys \
  -X POST \
  -H "Authorization: Bearer sk_your_token" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "direct",
    "contact": "security@yourcompany.com",
    "jwk": {
      "kid": "your-unique-key-id",
      "kty": "RSA",
      "alg": "RSA-OAEP-256",
      "use": "enc",
      "n": "s3C9N7Vz...J7c",
      "e": "AQAB"
    },
    "well_known_endpoint": null
  }'

{
  "success": true,
  "data": {
    "id": "team_jwk_12345", 
    "type": "direct",
    "jwk": {
      "kid": "your-unique-key-id", 
      "kty": "RSA",
      "alg": "RSA-OAEP-256",
      "use": "enc",
      "n": "s3C9N7Vz...J7c",
      "e": "AQAB"
    },
    "well_known_endpoint": null,
    "status": "active",
    "contact": "security@yourcompany.com",
    "created_at": "2024-01-15T10:30:00Z",
    "updated_at": "2024-01-15T10:30:00Z"
  },
  "message": null
}
Creates a new public key registration for Message Level Encryption. You can register your key using either direct registration (providing the JWK directly) or well-known endpoint registration (providing a URL where Method can fetch your JWKS).
Each key ID (kid) can only be registered once. Choose either direct or well-known registration for each unique key.

Body

type
string
required
The type of key registration. One of direct or well_known
contact
string
required
Contact email for the key registration.
jwk
object | null
The JSON Web Key object. Required for direct registration, null for well-known.
well_known_endpoint
string | null
URL to your JWKS endpoint. Required for well-known registration, null for direct.

Well-Known Endpoint Requirements

If using type: "well_known", your endpoint must return a JWKS that meets these requirements:
  1. Must have a top-level field named keys that has a list as its value.
  2. For a JWK (an item in list of keys) to be valid the following must be met:
    1. JWK must be an object
    2. JWK must have a field named kty and it must be equal to RSA
    3. JWK must have a field n and it must be a string that is valid n for a JWK in accordance to the RFC
    4. JWK must have a field e and it must be a string that is valid e for a JWK in accordance to the RFC
    5. JWK can optionally have a field named alg but if it is provided the value must be RSA-OAEP-256
    6. JWK must have a field kid and it must be a string that is a valid id which will be passed as cid when making requests to Method

Returns

Returns the created public key registration object with an assigned ID and active status. 
curl https://production.methodfi.com/teams/mle/public_keys \
  -X POST \
  -H "Authorization: Bearer sk_your_token" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "direct",
    "contact": "security@yourcompany.com",
    "jwk": {
      "kid": "your-unique-key-id",
      "kty": "RSA",
      "alg": "RSA-OAEP-256",
      "use": "enc",
      "n": "s3C9N7Vz...J7c",
      "e": "AQAB"
    },
    "well_known_endpoint": null
  }'

{
  "success": true,
  "data": {
    "id": "team_jwk_12345", 
    "type": "direct",
    "jwk": {
      "kid": "your-unique-key-id", 
      "kty": "RSA",
      "alg": "RSA-OAEP-256",
      "use": "enc",
      "n": "s3C9N7Vz...J7c",
      "e": "AQAB"
    },
    "well_known_endpoint": null,
    "status": "active",
    "contact": "security@yourcompany.com",
    "created_at": "2024-01-15T10:30:00Z",
    "updated_at": "2024-01-15T10:30:00Z"
  },
  "message": null
}