Every TeleQuick request is scoped to a tenant. The tenant is proven by a JWT signed with an RSA private key held in a service-account JSON file.

Service-account file

{
  "tenant_id": "acme",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
  "private_key_id": "kid-2026-01"
}
FieldPurpose
tenant_idThe tenant the JWT is signed for. Becomes the JWT iss claim.
private_keyRSA-2048 PKCS#8 private key in PEM. Used to sign tokens.
private_key_idPublic-key id; embedded as kid so the gateway picks the right key.
The path to this file is what every SDK reads from TELEQUICK_CREDENTIALS.

Signing

The SDK builds a JWT with these claims:
ClaimValue
algRS256
kidprivate_key_id from the service-account file
isstelequick-sdk
subtenant_id
expnow + 1h
The token is presented during the QUIC handshake. The gateway pins the JWT to the QUIC connection ID, so every subsequent stream over that connection inherits the tenant scope automatically — RPCs do not carry the JWT themselves.

Browser tokens

Browsers cannot read PEM keys safely. For the WebTransport SDK, your backend mints a short-lived (≤ 5 min) JWT and ships it to the page. Pass it to the client as the second positional argument with isBrowserToken = true: 
import { TeleQuickClient } from "@telequick/sdk";

const client = new TeleQuickClient(
  "https://engine.telequick.dev:9090",
  shortLivedJwt,
  /* isBrowserToken */ true,
);

Tenant isolation guarantees

The gateway enforces:
  • A tenant can only originate calls on trunks they own.
  • A tenant can only terminate / barge calls whose call_sid belongs to them.
  • StreamEvents only delivers events for calls owned by the connection’s tenant.
A leaked or stolen JWT is therefore tenant-scoped — it cannot be used to disrupt other tenants’ calls.

Rotating keys

  1. Generate a new RSA-2048 keypair.
  2. Upload the public half via the TeleQuick admin console — note the kid it returns.
  3. Update the service-account JSON on every host that runs the SDK.
  4. Wait for in-flight tokens to expire (max 1h), then revoke the old kid.
Old and new keys can coexist for a tenant during the rollover window.