2026-06-20: WebRTC SIP Token (HS256 5-min TTL + Key Rotation)
/v1/webrtc/token now issues HS256 JWTs with a 5-minute TTL and supports two-key overlap rotation.
POST /v1/webrtc/token now issues HS256-signed JWTs with a 5-minute TTL. The gateway supports two-key overlap rotation so signing keys can be rotated without dropping live browser sessions.
Tokens issued by POST /v1/webrtc/token are HS256 JWTs with the following claims:
{
"iss": "sautikit-sip",
"sub": "<workspace_uuid>",
"iat": 1750000000,
"exp": 1750000300
}TTL is fixed at 5 minutes (exp - iat = 300). Refresh before expiry; the gateway rejects expired tokens at the WebSocket handshake.
The gateway now accepts tokens signed by either the active key or a configured overlap key simultaneously. This enables zero-downtime key rotation:
SAUTIKIT_SIP_TOKEN_SIGNING_KEY_NEXT._NEXT to SAUTIKIT_SIP_TOKEN_SIGNING_KEY and clear _NEXT.During step 2, the gateway verifies against both keys.
Short-lived tokens reduce the blast radius of a leaked browser credential. The overlap window ensures that already-issued tokens remain valid during key rotation, avoiding mid-call disconnections.
No action required if you are already minting tokens server-side. If you are running a self-hosted gateway deployment, set SAUTIKIT_SIP_TOKEN_SIGNING_KEY in your environment. Optionally configure SAUTIKIT_SIP_TOKEN_SIGNING_KEY_NEXT before a rotation event.