From bce08790ca50c5c4e2c858ed2ebcc4ee207ba1d7 Mon Sep 17 00:00:00 2001
From: Vincenzo Scamporlino <vincenzos@spotify.com>
Date: Thu, 4 Apr 2024 20:44:46 +0200
Subject: [PATCH] backend-app-api: auth changeset

Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
---
 .changeset/moody-bats-train.md | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 .changeset/moody-bats-train.md

diff --git a/.changeset/moody-bats-train.md b/.changeset/moody-bats-train.md
new file mode 100644
index 0000000000..3b41d57579
--- /dev/null
+++ b/.changeset/moody-bats-train.md
@@ -0,0 +1,9 @@
+---
+'@backstage/backend-app-api': patch
+---
+
+Service-to-service authentication has been improved.
+
+Each plugin now has the capability to generate its own signing keys for token issuance. The generated public keys are stored in a database, and they are made accessible through a newly created endpoint: `/.backstage/auth/v1/jwks.json`.
+
+`AuthService` can now issue tokens with a reduced scope using the `getPluginRequestToken` method. This improvement enables plugins to identify the plugin originating the request.