It is not! Should it be in there?
What's weird is that both tempkey.rsa and tempkey.jwk are set to "do not copy" yet the tempkey.jwk is found in the docker image.
Thank-you for your reply; let me see if I understand what you are saying.
The app generates cryptographic keys for protecting tokens, etc, when it starts. The app stores this key in memory by default (probably in redis by default with the standard template?) To ensure that the protected tokens can be read after the app restarts, the app must not be allowed to roll the keys; that is, the key must be perisisted to DB or to redis. This way, when the app starts up again, it will re-use the same key from previous and only roll it when it expires.
Do I have that correct?
I guess this doesn't explain the AbpUserTokens table or how to persist the tokens, but that wouldn't matter anyway unless the key was persisted. Do you know of any samples/examples of this setup?
Any idea how to configure this seeing as I am using the account module?
Perhaps just allowing the client to send cookies it received from the response is forcing the API system to think that RequestVerificationToken is required?? If I clear out cookies in POSTMAN then it does not have the requirement to include the RequestVerificationToken header.
Please confirm my understanding?