Update Notifications

The nats-account-server can notify a nats-server about JWT updates, enabling the NATS server to update itself to the newly updated JWT.

To push notifications, the nats-account-server makes use of system accounts.

Here's a nats-account-server configuration with updates enabled:

operatorjwtpath: "/users/synadia/.nsc/nats/AAA/AAA.jwt",
systemaccountjwtpath: "/users/synadia/.nsc/nats/AAA/accounts/SYS/SYS.jwt"
http {
    port: 9090
},
store {
    dir: "/tmp/as_store",
    readonly: false,
    shard: true
}
nats {
  servers: [nats://localhost:4222]
  usercredentials: "/Users/synadia/.nkeys/AAA/accounts/SYS/users/sys.creds"
}

The above configuration:

• Sets the operatorjwtpath to verify pushed JWTs are signed by the operator

• Sets the systemaccountjwtpath so that the nats-server can ask for the system account (which the nats-account-server will trigger when it connects to the nats-server)

The nats section:

• Sets the servers with a list of NATS urls

• Sets usercredentials to the credentials file for the system account user that issues notifications.

When the account server starts:

• It makes a connection to the NATS server using the usercredentials of the system account.

The NATS server configuration looks like:

It specifies:

• The operator JWT

• The resolver URL where the nats-account-server will create requests. Note the nats-account-server log prints the exact value you should provide for this setting:

The nats-account-server has to be running before that nats-server starts, as currently, the nats-server will verify that it can connect to the resolver on startup.

Then start the NATS server:

At this point, you have both servers running. You can submit updates to the nats-account-server using nsc:

The account server should show the updates in its log: