From 26e8173f29fa1b0422faedbf987e20052d30a583 Mon Sep 17 00:00:00 2001
From: Jennings <jennings@openclaw.ai>
Date: Wed, 27 May 2026 18:12:45 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Fix=20JWKS=20key=20length=20to?=
 =?UTF-8?q?=20meet=20RS512=20requirements?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The RS512 algorithm specification requires an RSA key modulus length of 2048 bits or larger. The member token service generates its JWTs using RS512 but the fallback auto-generated keys (used for token signing and exposed at `/members/.well-known/jwks.json`) were using a 1024-bit key length.

This updates the dynamically generated RSA keys for members to 2048 bits to comply with the standard and resolve validation errors when external libraries try to parse the member token keys.

Fixes #24831
---
 ghost/core/core/server/models/settings.js                     | 4 ++--
 .../core/server/services/members/members-config-provider.js   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ghost/core/core/server/models/settings.js b/ghost/core/core/server/models/settings.js
index 9acb051e758..1ab216818d9 100644
--- a/ghost/core/core/server/models/settings.js
+++ b/ghost/core/core/server/models/settings.js
@@ -26,7 +26,7 @@ const getMembersKey = doBlock(() => {
     let UNO_KEYPAIRINO;
     return function getKey(type) {
         if (!UNO_KEYPAIRINO) {
-            UNO_KEYPAIRINO = keypair({bits: 1024});
+            UNO_KEYPAIRINO = keypair({bits: 2048});
         }
         return UNO_KEYPAIRINO[type];
     };
@@ -36,7 +36,7 @@ const getGhostKey = doBlock(() => {
     let UNO_KEYPAIRINO;
     return function getKey(type) {
         if (!UNO_KEYPAIRINO) {
-            UNO_KEYPAIRINO = keypair({bits: 1024});
+            UNO_KEYPAIRINO = keypair({bits: 2048});
         }
         return UNO_KEYPAIRINO[type];
     };
diff --git a/ghost/core/core/server/services/members/members-config-provider.js b/ghost/core/core/server/services/members/members-config-provider.js
index c587ae6079d..3f195fed5a3 100644
--- a/ghost/core/core/server/services/members/members-config-provider.js
+++ b/ghost/core/core/server/services/members/members-config-provider.js
@@ -54,7 +54,7 @@ class MembersConfigProvider {
 
         if (!privateKey || !publicKey) {
             logging.warn('Could not find members_private_key, using dynamically generated keypair');
-            const keypair = createKeypair({bits: 1024});
+            const keypair = createKeypair({bits: 2048});
             privateKey = keypair.private;
             publicKey = keypair.public;
         }