5-improve-encrypted-storage (#6 )

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
2026-02-27 17:57:42 +00:00
87 changed files with 1903 additions and 533 deletions
--- a/IdentityShroud.Api.Tests/Apis/ClientApiTests.cs
+++ b/IdentityShroud.Api.Tests/Apis/ClientApiTests.cs
@ -0,0 +1,179 @@
 using System.Net;
 using System.Net.Http.Json;
 using IdentityShroud.Core;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Tests.Fixtures;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
 namespace IdentityShroud.Api.Tests.Apis;
 public class ClientApiTests : IClassFixture<ApplicationFactory>
 {
    private readonly ApplicationFactory _factory;
    public ClientApiTests(ApplicationFactory factory)
    {
        _factory = factory;
        using var scope = _factory.Services.CreateScope();
        var db = scope.ServiceProvider.GetRequiredService<Db>();
        if (!db.Database.EnsureCreated())
        {
            db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
        }
    }
    [Theory]
    [InlineData(null, false, "ClientId")]
    [InlineData("", false, "ClientId")]
    [InlineData("my-client", true, "")]
    public async Task Create_Validation(string? clientId, bool succeeds, string fieldName)
    {
        // setup
        Realm realm = await CreateRealmAsync("test-realm", "Test Realm");
        var client = _factory.CreateClient();
        // act
        var response = await client.PostAsync(
            $"/api/v1/realms/{realm.Id}/clients",
            JsonContent.Create(new { ClientId = clientId }),
            TestContext.Current.CancellationToken);
 #if DEBUG
        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
 #endif
        if (succeeds)
        {
            Assert.Equal(HttpStatusCode.Created, response.StatusCode);
        }
        else
        {
            Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
            var problemDetails =
                await response.Content.ReadFromJsonAsync<ValidationProblemDetails>(
                    TestContext.Current.CancellationToken);
            Assert.Contains(problemDetails!.Errors, e => e.Key == fieldName);
        }
    }
    [Fact]
    public async Task Create_Success_ReturnsCreatedWithLocation()
    {
        // setup
        Realm realm = await CreateRealmAsync("create-realm", "Create Realm");
        var client = _factory.CreateClient();
        // act
        var response = await client.PostAsync(
            $"/api/v1/realms/{realm.Id}/clients",
            JsonContent.Create(new { ClientId = "new-client", Name = "New Client" }),
            TestContext.Current.CancellationToken);
 #if DEBUG
        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
 #endif
        // verify
        Assert.Equal(HttpStatusCode.Created, response.StatusCode);
        var body = await response.Content.ReadFromJsonAsync<ClientCreateReponse>(
            TestContext.Current.CancellationToken);
        Assert.NotNull(body);
        Assert.Equal("new-client", body.ClientId);
        Assert.True(body.Id > 0);
    }
    [Fact]
    public async Task Create_UnknownRealm_ReturnsNotFound()
    {
        var client = _factory.CreateClient();
        var response = await client.PostAsync(
            $"/api/v1/realms/{Guid.NewGuid()}/clients",
            JsonContent.Create(new { ClientId = "some-client" }),
            TestContext.Current.CancellationToken);
        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
    }
    [Fact]
    public async Task Get_Success()
    {
        // setup
        Realm realm = await CreateRealmAsync("get-realm", "Get Realm");
        Client dbClient = await CreateClientAsync(realm, "get-client", "Get Client");
        var httpClient = _factory.CreateClient();
        // act
        var response = await httpClient.GetAsync(
            $"/api/v1/realms/{realm.Id}/clients/{dbClient.Id}",
            TestContext.Current.CancellationToken);
 #if DEBUG
        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
 #endif
        // verify
        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
        var body = await response.Content.ReadFromJsonAsync<ClientRepresentation>(
            TestContext.Current.CancellationToken);
        Assert.NotNull(body);
        Assert.Equal(dbClient.Id, body.Id);
        Assert.Equal("get-client", body.ClientId);
        Assert.Equal("Get Client", body.Name);
        Assert.Equal(realm.Id, body.RealmId);
    }
    [Fact]
    public async Task Get_UnknownClient_ReturnsNotFound()
    {
        // setup
        Realm realm = await CreateRealmAsync("notfound-realm", "NotFound Realm");
        var httpClient = _factory.CreateClient();
        // act
        var response = await httpClient.GetAsync(
            $"/api/v1/realms/{realm.Id}/clients/99999",
            TestContext.Current.CancellationToken);
        // verify
        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
    }
    private async Task<Realm> CreateRealmAsync(string slug, string name)
    {
        using var scope = _factory.Services.CreateScope();
        var db = scope.ServiceProvider.GetRequiredService<Db>();
        var realm = new Realm { Slug = slug, Name = name };
        db.Realms.Add(realm);
        await db.SaveChangesAsync(TestContext.Current.CancellationToken);
        return realm;
    }
    private async Task<Client> CreateClientAsync(Realm realm, string clientId, string? name = null)
    {
        using var scope = _factory.Services.CreateScope();
        var db = scope.ServiceProvider.GetRequiredService<Db>();
        var client = new Client
        {
            RealmId = realm.Id,
            ClientId = clientId,
            Name = name,
            CreatedAt = DateTime.UtcNow,
        };
        db.Clients.Add(client);
        await db.SaveChangesAsync(TestContext.Current.CancellationToken);
        return client;
    }
 }
--- a/IdentityShroud.Api.Tests/Apis/RealmApisTests.cs
+++ b/IdentityShroud.Api.Tests/Apis/RealmApisTests.cs
@ -44,7 +44,9 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
        var client = _factory.CreateClient();
        Guid? inputId = id is null ? (Guid?)null : new Guid(id);
-        var response = await client.PostAsync("/realms", JsonContent.Create(new
+        
        // act
        var response = await client.PostAsync("/api/v1/realms", JsonContent.Create(new
            {
                Id = inputId,
                Slug = slug,
@ -88,16 +90,21 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
        // act
        var client = _factory.CreateClient();
-        var response = await client.GetAsync("/realms/foo/.well-known/openid-configuration",
+        var response = await client.GetAsync("auth/realms/foo/.well-known/openid-configuration",
            TestContext.Current.CancellationToken);
        // verify
 #if DEBUG
        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
 #endif
        Assert.Equal(HttpStatusCode.OK, response.StatusCode);        
        var result = await response.Content.ReadFromJsonAsync<JsonObject>(TestContext.Current.CancellationToken);
        Assert.NotNull(result);
-        JsonObjectAssert.Equal("http://localhost/realms/foo/openid-connect/auth", result, "authorization_endpoint");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/auth", result, "authorization_endpoint");
-        JsonObjectAssert.Equal("http://localhost/realms/foo", result, "issuer");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo", result, "issuer");
-        JsonObjectAssert.Equal("http://localhost/realms/foo/openid-connect/token", result, "token_endpoint");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/token", result, "token_endpoint");
-        JsonObjectAssert.Equal("http://localhost/realms/foo/openid-connect/jwks", result, "jwks_uri");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/jwks", result, "jwks_uri");
    }
    [Theory]
@ -107,7 +114,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
    {
        // act
        var client = _factory.CreateClient();
-        var response = await client.GetAsync("/realms/bar/.well-known/openid-configuration",
+        var response = await client.GetAsync($"/realms/{slug}/.well-known/openid-configuration",
            TestContext.Current.CancellationToken);
        // verify
@ -118,34 +125,35 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
    public async Task GetJwks()
    {
        // setup
-        IEncryptionService encryptionService = _factory.Services.GetRequiredService<IEncryptionService>();
+        IDekEncryptionService dekEncryptionService = _factory.Services.GetRequiredService<IDekEncryptionService>();
        using var rsa = RSA.Create(2048);
        RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
-        Key key = new()
+        RealmKey realmKey = new()
        {
            Id = Guid.NewGuid(),
            KeyType = "RSA",
            Key = dekEncryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
            CreatedAt = DateTime.UtcNow,
        };
        key.SetPrivateKey(encryptionService, rsa.ExportPkcs8PrivateKey());
        await ScopedContextAsync(async db =>
        {
-            db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo", Keys = [ key ]});
+            db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo", Keys = [ realmKey ]});
            await db.SaveChangesAsync(TestContext.Current.CancellationToken);
        });
        // act
        var client = _factory.CreateClient();
-        var response = await client.GetAsync("/realms/foo/openid-connect/jwks",
+        var response = await client.GetAsync("/auth/realms/foo/openid-connect/jwks",
            TestContext.Current.CancellationToken);
        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
        JsonObject? payload = await response.Content.ReadFromJsonAsync<JsonObject>(TestContext.Current.CancellationToken);
        Assert.NotNull(payload);
-        JsonObjectAssert.Equal(key.Id.ToString(), payload, "keys[0].kid"); 
+        JsonObjectAssert.Equal(realmKey.Id.ToString(), payload, "keys[0].kid"); 
        JsonObjectAssert.Equal(WebEncoders.Base64UrlEncode(parameters.Modulus!), payload, "keys[0].n"); 
        JsonObjectAssert.Equal(WebEncoders.Base64UrlEncode(parameters.Exponent!), payload, "keys[0].e"); 
    }
--- a/IdentityShroud.Api.Tests/Fixtures/ApplicationFactory.cs
+++ b/IdentityShroud.Api.Tests/Fixtures/ApplicationFactory.cs
@ -1,11 +1,6 @@
 using IdentityShroud.Core.Services;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.EntityFrameworkCore.Infrastructure;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.VisualStudio.TestPlatform.TestHost;
 using Npgsql;
 using Testcontainers.PostgreSql;
 namespace IdentityShroud.Core.Tests.Fixtures;
@ -33,7 +28,10 @@ public class ApplicationFactory : WebApplicationFactory<Program>, IAsyncLifetime
                new Dictionary<string, string?>
                {
                    ["Db:ConnectionString"] = _postgresqlServer.GetConnectionString(),
-                    ["Encryption:Master"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
+                    ["secrets:master:0:Id"] = "94970f27-3d88-4223-9940-7dd57548f5b5",
                    ["secrets:master:0:Active"] = "true",
                    ["secrets:master:0:Algorithm"] = "AES",
                    ["secrets:master:0:Key"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
                });
        });
--- a/IdentityShroud.Api.Tests/Mappers/KeyMapperTests.cs
+++ b/IdentityShroud.Api.Tests/Mappers/KeyMapperTests.cs
@ -1,41 +0,0 @@
 using System.Security.Cryptography;
 using IdentityShroud.Api.Mappers;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Model;
 using IdentityShroud.TestUtils.Substitutes;
 using Microsoft.AspNetCore.WebUtilities;
 namespace IdentityShroud.Api.Tests.Mappers;
 public class KeyMapperTests
 {
    private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
    [Fact]
    public void Test()
    {
        // Setup
        using RSA rsa = RSA.Create(2048);
        RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
        Key key = new()
        {
            Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
            CreatedAt = DateTime.UtcNow,
            Priority = 10,
        };
        key.SetPrivateKey(_encryptionService, rsa.ExportPkcs8PrivateKey());
        // Act
        KeyMapper mapper = new(_encryptionService);
        JsonWebKey jwk = mapper.KeyToJsonWebKey(key);
        Assert.Equal("RSA", jwk.KeyType);
        Assert.Equal(key.Id.ToString(), jwk.KeyId);
        Assert.Equal("sig", jwk.Use);
        Assert.Equal(parameters.Exponent, WebEncoders.Base64UrlDecode(jwk.Exponent));
        Assert.Equal(parameters.Modulus, WebEncoders.Base64UrlDecode(jwk.Modulus));
    }
 }
--- a/IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs
+++ b/IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs
@ -0,0 +1,46 @@
 using System.Buffers.Text;
 using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Security.Keys;
 using IdentityShroud.Core.Services;
 using IdentityShroud.TestUtils.Substitutes;
 namespace IdentityShroud.Api.Tests.Mappers;
 public class KeyServiceTests
 {
    private readonly NullDekEncryptionService _dekEncryptionService = new(); 
    [Fact]
    public void Test()
    {
        // Setup
        using RSA rsa = RSA.Create(2048);
        RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
        DekId kid = DekId.NewId();
        RealmKey realmKey = new()
        {
            Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
            KeyType = "RSA",
            Key = new(_dekEncryptionService.KeyId, rsa.ExportPkcs8PrivateKey()),
            CreatedAt = DateTime.UtcNow,
            Priority = 10,
        };
        // Act
        KeyService sut = new(_dekEncryptionService, new KeyProviderFactory(), new ClockService());
        var jwk = sut.CreateJsonWebKey(realmKey);
        Assert.NotNull(jwk);
        Assert.Equal("RSA", jwk.KeyType);
        Assert.Equal(realmKey.Id.ToString(), jwk.KeyId);
        Assert.Equal("sig", jwk.Use);
        Assert.Equal(parameters.Exponent, Base64Url.DecodeFromChars(jwk.Exponent));
        Assert.Equal(parameters.Modulus, Base64Url.DecodeFromChars(jwk.Modulus));
    }
 }
--- a/IdentityShroud.Api/Apis/ClientApi.cs
+++ b/IdentityShroud.Api/Apis/ClientApi.cs
@ -0,0 +1,73 @@
 using FluentResults;
 using IdentityShroud.Api.Mappers;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 namespace IdentityShroud.Api;
 public record ClientCreateReponse(int Id, string ClientId);
 /// <summary>
 /// The part of the api below realms/{slug}/clients
 /// </summary>
 public static class ClientApi
 {
    public const string ClientGetRouteName = "ClientGet";
    public static void MapEndpoints(this IEndpointRouteBuilder erp)
    {
        RouteGroupBuilder clientsGroup = erp.MapGroup("clients");        
        clientsGroup.MapPost("", ClientCreate)
            .Validate<ClientCreateRequest>() 
            .WithName("ClientCreate")
            .Produces(StatusCodes.Status201Created);
        var clientIdGroup = clientsGroup.MapGroup("{clientId}")
            .AddEndpointFilter<ClientIdValidationFilter>();
        clientIdGroup.MapGet("", ClientGet)
            .WithName(ClientGetRouteName);
    }
    private static Ok<ClientRepresentation> ClientGet(
        Guid realmId,
        int clientId,
        HttpContext context)
    {
        Client client = (Client)context.Items["ClientEntity"]!;
        return TypedResults.Ok(new ClientMapper().ToDto(client));
    }
    private static async Task<Results<CreatedAtRoute<ClientCreateReponse>, InternalServerError>>
        ClientCreate(
            Guid realmId,
            ClientCreateRequest request, 
            [FromServices] IClientService service,
            HttpContext context,
            CancellationToken cancellationToken)
    {
        Realm realm = context.GetValidatedRealm();
        Result<Client> result = await service.Create(realm.Id, request, cancellationToken);
        if (result.IsFailed)
        {
            throw new NotImplementedException();
        }
        Client client = result.Value;
        return TypedResults.CreatedAtRoute(
            new ClientCreateReponse(client.Id, client.ClientId),
            ClientGetRouteName, 
            new RouteValueDictionary()
            {
                ["realmId"] = realm.Id,
                ["clientId"] = client.Id, 
            });
    }
 }
--- a/IdentityShroud.Api/Apis/Dto/ClientRepresentation.cs
+++ b/IdentityShroud.Api/Apis/Dto/ClientRepresentation.cs
@ -0,0 +1,16 @@
 namespace IdentityShroud.Api;
 public record ClientRepresentation
 {
    public int Id { get; set; }
    public Guid RealmId { get; set; }
    public required string ClientId { get; set; }
    public string? Name { get; set; }
    public string? Description { get; set; }
    public string? SignatureAlgorithm { get; set; }
    public bool AllowClientCredentialsFlow { get; set; } = false;
    public required DateTime CreatedAt { get; set; }
 }
--- a/IdentityShroud.Api/Apis/EndpointRouteBuilderExtensions.cs
+++ b/IdentityShroud.Api/Apis/EndpointRouteBuilderExtensions.cs
@ -0,0 +1,15 @@
 namespace IdentityShroud.Api;
 public static class EndpointRouteBuilderExtensions
 {
    public static RouteHandlerBuilder Validate<TDto>(this RouteHandlerBuilder builder) where TDto : class
        => builder.AddEndpointFilter<ValidateFilter<TDto>>();
    public static void MapApis(this IEndpointRouteBuilder erp)
    {
        RealmApi.MapRealmEndpoints(erp);
        OpenIdEndpoints.MapEndpoints(erp);
    }
 }
--- a/IdentityShroud.Api/Apis/Filters/ClientIdValidationFilter.cs
+++ b/IdentityShroud.Api/Apis/Filters/ClientIdValidationFilter.cs
@ -0,0 +1,21 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 namespace IdentityShroud.Api;
 public class ClientIdValidationFilter(IClientService clientService) : IEndpointFilter
 {
    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
    {
        Guid realmId = context.Arguments.OfType<Guid>().First();
        int id = context.Arguments.OfType<int>().First();
        Client? client = await clientService.FindById(realmId, id, context.HttpContext.RequestAborted);
        if (client is null)
        {
            return Results.NotFound();
        }
        context.HttpContext.Items["ClientEntity"] = client;
        return await next(context);
    }
 }
--- a/IdentityShroud.Api/Apis/Filters/RealmIdValidationFilter.cs
+++ b/IdentityShroud.Api/Apis/Filters/RealmIdValidationFilter.cs
@ -0,0 +1,20 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 namespace IdentityShroud.Api;
 public class RealmIdValidationFilter(IRealmService realmService) : IEndpointFilter
 {
    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
    {
        Guid id = context.Arguments.OfType<Guid>().First();
        Realm? realm = await realmService.FindById(id, context.HttpContext.RequestAborted);
        if (realm is null)
        {
            return Results.NotFound();
        }
        context.HttpContext.Items["RealmEntity"] = realm;
        return await next(context);
    }
 }
--- a/IdentityShroud.Api/Apis/Filters/RealmSlugValidationFilter.cs
+++ b/IdentityShroud.Api/Apis/Filters/RealmSlugValidationFilter.cs
@ -1,5 +1,5 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Services;
 namespace IdentityShroud.Api;
@ -9,12 +9,13 @@ namespace IdentityShroud.Api;
 /// consistently.
 /// </summary>
 /// <param name="realmService"></param>
-public class SlugValidationFilter(IRealmService realmService) : IEndpointFilter
+public class RealmSlugValidationFilter(IRealmService realmService) : IEndpointFilter
 {
    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
    {
-        string slug = context.Arguments.OfType<string>().First();
+        string realmSlug = context.Arguments.OfType<string>().FirstOrDefault()
-        Realm? realm = await realmService.FindBySlug(slug);
+            ?? throw new InvalidOperationException("Expected argument missing, ensure you include path parameters in your handlers signature even when you don't use them");
        Realm? realm = await realmService.FindBySlug(realmSlug, context.HttpContext.RequestAborted);
        if (realm is null)
        {
            return Results.NotFound();
--- a/IdentityShroud.Api/Apis/Mappers/ClientMapper.cs
+++ b/IdentityShroud.Api/Apis/Mappers/ClientMapper.cs
@ -0,0 +1,11 @@
 using IdentityShroud.Core.Model;
 using Riok.Mapperly.Abstractions;
 namespace IdentityShroud.Api.Mappers;
 [Mapper]
 public partial class ClientMapper
 {
    [MapperIgnoreSource(nameof(Client.Secrets))]
    public partial ClientRepresentation ToDto(Client client);
 }
--- a/IdentityShroud.Api/Apis/Mappers/KeyMapper.cs
+++ b/IdentityShroud.Api/Apis/Mappers/KeyMapper.cs
@ -1,34 +1,22 @@
 using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security;
 using Microsoft.AspNetCore.WebUtilities;
 namespace IdentityShroud.Api.Mappers;
-public class KeyMapper(IEncryptionService encryptionService)
+public class KeyMapper(IKeyService keyService)
 {
-    public JsonWebKey KeyToJsonWebKey(Key key)
+    public JsonWebKeySet KeyListToJsonWebKeySet(IEnumerable<RealmKey> keys)
    {
-        using var rsa = RsaHelper.LoadFromPkcs8(key.GetPrivateKey(encryptionService));
+        JsonWebKeySet wks = new();
-        RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
+        foreach (var k in keys)
        return new JsonWebKey()
        {
-            KeyType = rsa.SignatureAlgorithm,
+            var wk = keyService.CreateJsonWebKey(k);
-            KeyId = key.Id.ToString(),
+            if (wk is {})
-            Use = "sig",
+            {
-            Exponent = WebEncoders.Base64UrlEncode(parameters.Exponent!),
+                wks.Keys.Add(wk);
            Modulus = WebEncoders.Base64UrlEncode(parameters.Modulus!),
        };
            }
-
+        }
-    public JsonWebKeySet KeyListToJsonWebKeySet(IEnumerable<Key> keys)
+        return wks;
    {
        return new JsonWebKeySet()
        {
            Keys = keys.Select(e => KeyToJsonWebKey(e)).ToList(),
        };
    }
 }
--- a/IdentityShroud.Api/Apis/OpenIdEndpoints.cs
+++ b/IdentityShroud.Api/Apis/OpenIdEndpoints.cs
@ -0,0 +1,72 @@
 using IdentityShroud.Api.Mappers;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Model;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 namespace IdentityShroud.Api;
 public static class OpenIdEndpoints
 {
    // openid: auth/realms/{realmSlug}/.well-known/openid-configuration
    // openid: auth/realms/{realmSlug}/openid-connect/(auth|token|jwks)
    public static void MapEndpoints(this IEndpointRouteBuilder erp)
    {
        var realmsGroup = erp.MapGroup("/auth/realms");
        var realmSlugGroup = realmsGroup.MapGroup("{realmSlug}")
            .AddEndpointFilter<RealmSlugValidationFilter>();
        realmSlugGroup.MapGet(".well-known/openid-configuration", GetOpenIdConfiguration);
        var openidConnect = realmSlugGroup.MapGroup("openid-connect");
        openidConnect.MapPost("auth", OpenIdConnectAuth);
        openidConnect.MapPost("token", OpenIdConnectToken);
        openidConnect.MapGet("jwks", OpenIdConnectJwks);
    }
    private static async Task<JsonHttpResult<OpenIdConfiguration>> GetOpenIdConfiguration(
        string realmSlug,
        [FromServices]IRealmService realmService,
        HttpContext context)
    {
        Realm realm = context.GetValidatedRealm();
        var s = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.Path}";
        var searchString = $"realms/{realmSlug}";
        int index = s.IndexOf(searchString, StringComparison.OrdinalIgnoreCase);
        string baseUri = s.Substring(0, index + searchString.Length);
        return TypedResults.Json(new OpenIdConfiguration()
        {
            AuthorizationEndpoint = baseUri + "/openid-connect/auth",
            TokenEndpoint = baseUri + "/openid-connect/token",
            Issuer =  baseUri,
            JwksUri =  baseUri + "/openid-connect/jwks",
        }, AppJsonSerializerContext.Default.OpenIdConfiguration);
    }
    private static async Task<Results<Ok<JsonWebKeySet>, BadRequest>> OpenIdConnectJwks(
        string realmSlug,
        [FromServices]IRealmService realmService,
        [FromServices]KeyMapper keyMapper,
        HttpContext context)
    {
        Realm realm = context.GetValidatedRealm();
        await realmService.LoadActiveKeys(realm);
        return TypedResults.Ok(keyMapper.KeyListToJsonWebKeySet(realm.Keys));
    }
    private static Task OpenIdConnectToken(HttpContext context)
    {
        throw new NotImplementedException();
    }
    private static Task OpenIdConnectAuth(HttpContext context)
    {
        throw new NotImplementedException();
    }
 }
--- a/IdentityShroud.Api/Apis/RealmApi.cs
+++ b/IdentityShroud.Api/Apis/RealmApi.cs
@ -1,7 +1,4 @@
-using FluentResults;
+using IdentityShroud.Core.Contracts;
 using IdentityShroud.Api.Mappers;
 using IdentityShroud.Api.Validation;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Messages.Realm;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Services;
@ -15,26 +12,28 @@ public static class HttpContextExtensions
    public static Realm GetValidatedRealm(this HttpContext context) => (Realm)context.Items["RealmEntity"]!;    
 }
 // api: api/v1/realms/{realmId}/....
 // api: api/v1/realms/{realmId}/clients/{clientId}
 public static class RealmApi
 {
-    public static void MapRealmEndpoints(this IEndpointRouteBuilder app)
+    public static void MapRealmEndpoints(IEndpointRouteBuilder erp)
    {
-        var realmsGroup = app.MapGroup("/realms");
+        var realmsGroup = erp.MapGroup("/api/v1/realms");
        realmsGroup.MapPost("", RealmCreate)
            .Validate<RealmCreateRequest>() 
            .WithName("Create Realm")
            .Produces(StatusCodes.Status201Created);
-        var realmSlugGroup = realmsGroup.MapGroup("{slug}")
+        var realmIdGroup = realmsGroup.MapGroup("{realmId}")
-            .AddEndpointFilter<SlugValidationFilter>();
+            .AddEndpointFilter<RealmIdValidationFilter>();
-        realmSlugGroup.MapGet(".well-known/openid-configuration", GetOpenIdConfiguration);
+
        ClientApi.MapEndpoints(realmIdGroup);
        var openidConnect = realmSlugGroup.MapGroup("openid-connect");
        openidConnect.MapPost("auth", OpenIdConnectAuth);
        openidConnect.MapPost("token", OpenIdConnectToken);
        openidConnect.MapGet("jwks", OpenIdConnectJwks);
    }
    private static async Task<Results<Created<RealmCreateResponse>, InternalServerError>> 
@ -47,46 +46,4 @@ public static class RealmApi
        // TODO make helper to convert failure response to a proper HTTP result.
        return TypedResults.InternalServerError();
    }
    private static async Task<Results<Ok<JsonWebKeySet>, BadRequest>> OpenIdConnectJwks(
        string slug,
        [FromServices]IRealmService realmService,
        [FromServices]KeyMapper keyMapper,
        HttpContext context)
    {
        Realm realm = context.GetValidatedRealm();
        await realmService.LoadActiveKeys(realm);
        return TypedResults.Ok(keyMapper.KeyListToJsonWebKeySet(realm.Keys));
    }
    private static Task OpenIdConnectToken(HttpContext context)
    {
        throw new NotImplementedException();
    }
    private static Task OpenIdConnectAuth(HttpContext context)
    {
        throw new NotImplementedException();
    }
    private static async Task<JsonHttpResult<OpenIdConfiguration>> GetOpenIdConfiguration(
        string slug,
        [FromServices]IRealmService realmService,
        HttpContext context)
    {
        Realm realm = context.GetValidatedRealm();
        var s = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.Path}";
        var searchString = $"realms/{slug}";
        int index = s.IndexOf(searchString, StringComparison.OrdinalIgnoreCase);
        string baseUri = s.Substring(0, index + searchString.Length);
        return TypedResults.Json(new OpenIdConfiguration()
        {
            AuthorizationEndpoint = baseUri + "/openid-connect/auth",
            TokenEndpoint = baseUri + "/openid-connect/token",
            Issuer =  baseUri,
            JwksUri =  baseUri + "/openid-connect/jwks",
        }, AppJsonSerializerContext.Default.OpenIdConfiguration);
    }
 }
--- a/IdentityShroud.Api/Apis/Validation/ClientCreateRequestValidator.cs
+++ b/IdentityShroud.Api/Apis/Validation/ClientCreateRequestValidator.cs
@ -0,0 +1,22 @@
 using FluentValidation;
 using IdentityShroud.Core.Contracts;
 namespace IdentityShroud.Api;
 public class ClientCreateRequestValidator : AbstractValidator<ClientCreateRequest>
 {
    // most of standard ascii minus the control characters and space 
    private const string ClientIdPattern = "^[\x21-\x7E]+";
    private string[] AllowedAlgorithms = [ "RS256", "ES256" ];
    public ClientCreateRequestValidator()
    {
        RuleFor(e => e.ClientId).NotEmpty().MaximumLength(40).Matches(ClientIdPattern);
        RuleFor(e => e.Name).MaximumLength(80);
        RuleFor(e => e.Description).MaximumLength(2048);
        RuleFor(e => e.SignatureAlgorithm)
            .Must(v => v is null || AllowedAlgorithms.Contains(v))
            .WithMessage($"SignatureAlgorithm must be one of {string.Join(", ", AllowedAlgorithms)} or null");
    }
 }
--- a/IdentityShroud.Api/Apis/Validation/RealmCreateRequestValidator.cs
+++ b/IdentityShroud.Api/Apis/Validation/RealmCreateRequestValidator.cs
@ -1,7 +1,7 @@
 using FluentValidation;
 using IdentityShroud.Core.Messages.Realm;
-namespace IdentityShroud.Api.Validation;
+namespace IdentityShroud.Api;
 public class RealmCreateRequestValidator : AbstractValidator<RealmCreateRequest>
 {
--- a/IdentityShroud.Api/Apis/Validation/ValidateFilter.cs
+++ b/IdentityShroud.Api/Apis/Validation/ValidateFilter.cs
@ -1,6 +1,6 @@
 using FluentValidation;
-namespace IdentityShroud.Api.Validation;
+namespace IdentityShroud.Api;
 public class ValidateFilter<T> : IEndpointFilter where T : class
 {
--- a/IdentityShroud.Api/AppJsonSerializerContext.cs
+++ b/IdentityShroud.Api/AppJsonSerializerContext.cs
@ -1,7 +1,6 @@
 using System.Text.Json.Serialization;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Messages.Realm;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 [JsonSerializable(typeof(OpenIdConfiguration))]
 [JsonSerializable(typeof(RealmCreateRequest))]
--- a/IdentityShroud.Api/IdentityShroud.Api.csproj
+++ b/IdentityShroud.Api/IdentityShroud.Api.csproj
@ -17,7 +17,7 @@
    <ItemGroup>
        <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.1.1" />
        <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0"/>
-        <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
+        <PackageReference Include="Riok.Mapperly" Version="4.3.1" />
        <PackageReference Include="Serilog" Version="4.3.0" />
        <PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
        <PackageReference Include="Serilog.Expressions" Version="5.0.0" />
--- a/IdentityShroud.Api/IdentityShroud.Api.csproj.DotSettings
+++ b/IdentityShroud.Api/IdentityShroud.Api.csproj.DotSettings
@ -1,3 +1,5 @@
 <wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
 	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=apis_005Cdto/@EntryIndexedValue">True</s:Boolean>
-	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=apis_005Cfilters/@EntryIndexedValue">True</s:Boolean></wpf:ResourceDictionary>
+	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=apis_005Cfilters/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=apis_005Cvalidation/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=validation/@EntryIndexedValue">True</s:Boolean></wpf:ResourceDictionary>
--- a/IdentityShroud.Api/Program.cs
+++ b/IdentityShroud.Api/Program.cs
@ -1,10 +1,10 @@
 using FluentValidation;
 using IdentityShroud.Api;
 using IdentityShroud.Api.Mappers;
 using IdentityShroud.Api.Validation;
 using IdentityShroud.Core;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Security.Keys;
 using IdentityShroud.Core.Services;
 using Serilog;
 using Serilog.Formatting.Json;
@ -36,13 +36,21 @@ void ConfigureBuilder(WebApplicationBuilder builder)
    // Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
    services.AddOpenApi();
    services.AddScoped<Db>();
    services.AddScoped<IClientService, ClientService>();
    services.AddSingleton<IClock, ClockService>();
    services.AddSingleton<IDekEncryptionService, DekEncryptionService>();
    services.AddScoped<IDataEncryptionService, DataEncryptionService>();
    services.AddScoped<IRealmContext, RealmContext>();
    services.AddScoped<IKeyProviderFactory, KeyProviderFactory>();
    services.AddScoped<IKeyService, KeyService>();
    services.AddScoped<IRealmService, RealmService>();
    services.AddOptions<DbConfiguration>().Bind(configuration.GetSection("db"));
    services.AddSingleton<ISecretProvider, ConfigurationSecretProvider>();
-    services.AddSingleton<KeyMapper>();
+    services.AddScoped<KeyMapper>();
-    services.AddSingleton<IEncryptionService, EncryptionService>();
+    services.AddScoped<IRealmContext, RealmContext>();
    services.AddValidatorsFromAssemblyContaining<RealmCreateRequestValidator>();
    services.AddHttpContextAccessor();
    builder.Host.UseSerilog((context, services, configuration) => configuration
        .Enrich.FromLogContext()
@ -57,7 +65,8 @@ void ConfigureApplication(WebApplication app)
        app.MapOpenApi();
    }
    app.UseSerilogRequestLogging();
-    app.MapRealmEndpoints();
+    app.MapApis();
    // app.UseRouting();
    // app.MapControllers();
 }
--- a/IdentityShroud.Api/Validation/EndpointRouteBuilderExtensions.cs
+++ b/IdentityShroud.Api/Validation/EndpointRouteBuilderExtensions.cs
@ -1,7 +0,0 @@
 namespace IdentityShroud.Api.Validation;
 public static class EndpointRouteBuilderExtensions
 {
    public static RouteHandlerBuilder Validate<TDto>(this RouteHandlerBuilder builder) where TDto : class
        => builder.AddEndpointFilter<ValidateFilter<TDto>>();    
 }
--- a/IdentityShroud.Core.Tests/Fixtures/DbFixture.cs
+++ b/IdentityShroud.Core.Tests/Fixtures/DbFixture.cs
@ -1,5 +1,4 @@
-using DotNet.Testcontainers.Containers;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Npgsql;
 using Testcontainers.PostgreSql;
--- a/IdentityShroud.Core.Tests/Helpers/Base64UrlConverterTests.cs
+++ b/IdentityShroud.Core.Tests/Helpers/Base64UrlConverterTests.cs
@ -0,0 +1,36 @@
 using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using IdentityShroud.Core.Helpers;
 namespace IdentityShroud.Core.Tests.Helpers;
 public class Base64UrlConverterTests
 {
    internal class Data
    {
        [JsonConverter(typeof(Base64UrlConverter))]
        public byte[]? X { get; set; }
    }
    [Fact]
    public void Serialize()
    {
        Data d = new() { X = ">>>???"u8.ToArray() };
        string s = JsonSerializer.Serialize(d);
        Assert.Contains("\"Pj4-Pz8_\"", s);
    }
    [Fact]
    public void Deerialize()
    {
        var jsonstring = """
            { "X": "Pj4-Pz8_" }
            """;
        var d = JsonSerializer.Deserialize<Data>(jsonstring);
        Assert.Equal(">>>???", Encoding.UTF8.GetString(d.X)); 
    }
 }
--- a/IdentityShroud.Core.Tests/JwtSignatureGeneratorTests.cs
+++ b/IdentityShroud.Core.Tests/JwtSignatureGeneratorTests.cs
@ -72,8 +72,8 @@ public class JwtSignatureGeneratorTests
        var rsa = RSA.Create();
        var parameters = new RSAParameters
        {
-            Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus),
+            Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus!),
-            Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent)
+            Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent!)
        };
        rsa.ImportParameters(parameters);
--- a/IdentityShroud.Core.Tests/Model/KeyTests.cs
+++ b/IdentityShroud.Core.Tests/Model/KeyTests.cs
@ -1,51 +0,0 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 namespace IdentityShroud.Core.Tests.Model;
 public class KeyTests
 {
    [Fact]
    public void SetNewKey()
    {
        byte[] privateKey = [5, 6, 7, 8];
        byte[] encryptedPrivateKey = [1, 2, 3, 4];
        var encryptionService = Substitute.For<IEncryptionService>();
        encryptionService
            .Encrypt(Arg.Any<byte[]>())
            .Returns(x => encryptedPrivateKey); 
        Key key = new();
        key.SetPrivateKey(encryptionService, privateKey);
        // should be able to return original without calling decrypt
        Assert.Equal(privateKey, key.GetPrivateKey(encryptionService));
        Assert.Equal(encryptedPrivateKey, key.PrivateKeyEncrypted);
        encryptionService.Received(1).Encrypt(privateKey);
        encryptionService.DidNotReceive().Decrypt(Arg.Any<byte[]>());
    }
    [Fact]
    public void GetDecryptedKey()
    {
        byte[] privateKey = [5, 6, 7, 8];
        byte[] encryptedPrivateKey = [1, 2, 3, 4];
        var encryptionService = Substitute.For<IEncryptionService>();
        encryptionService
            .Decrypt(encryptedPrivateKey)
            .Returns(x => privateKey); 
        Key key = new();
        key.PrivateKeyEncrypted = encryptedPrivateKey;
        // should be able to return original without calling decrypt
        Assert.Equal(privateKey, key.GetPrivateKey(encryptionService));
        Assert.Equal(encryptedPrivateKey, key.PrivateKeyEncrypted);
        encryptionService.Received(1).Decrypt(encryptedPrivateKey);
    }
 }
--- a/IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs
+++ b/IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs
@ -1,21 +0,0 @@
 using System.Security.Cryptography;
 using System.Text;
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.Core.Tests.Security;
 public class AesGcmHelperTests
 {
    [Fact]
    public void EncryptDecryptCycleWorks()
    {
        string input = "Hello, world!";
        var encryptionKey = RandomNumberGenerator.GetBytes(32);
        var cypher = AesGcmHelper.EncryptAesGcm(Encoding.UTF8.GetBytes(input), encryptionKey);
        var output = AesGcmHelper.DecryptAesGcm(cypher, encryptionKey);
        Assert.Equal(input, Encoding.UTF8.GetString(output));
    }
 }
--- a/IdentityShroud.Core.Tests/Security/ConfigurationSecretProviderTests.cs
+++ b/IdentityShroud.Core.Tests/Security/ConfigurationSecretProviderTests.cs
@ -0,0 +1,63 @@
 using System.Text;
 using IdentityShroud.Core.Security;
 using Microsoft.Extensions.Configuration;
 namespace IdentityShroud.Core.Tests.Security;
 public class ConfigurationSecretProviderTests
 {
    private static IConfiguration BuildConfigFromJson(string json)
    {
        // Convert the JSON string into a stream that the config builder can read.
        var jsonBytes = Encoding.UTF8.GetBytes(json);
        using var stream = new MemoryStream(jsonBytes);
        // Build the configuration just like the real app does, but from the stream.
        var config = new ConfigurationBuilder()
            .AddJsonStream(stream)   // <-- reads from the in‑memory JSON
            .Build();
        return config;
    }
    [Fact]
    public void Test()
    {
        string jsonConfig = """
            {
                "secrets": {
                    "master": [
                        {
                            "Id": "5676d159-5495-4945-aa84-59ee694aa8a2",
                            "Active": true,
                            "Algorithm": "AES",
                            "Key": "yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="
                        },
                        {
                            "Id": "b82489e7-a05a-4d64-b9a5-58d2f2c0dc39",
                            "Active": false,
                            "Algorithm": "AES",
                            "Key": "YSWK6vTJXCJOGLpCo+TtZ6anKNzvA1VT2xXLHbmq4M0="
                        }
                    ]    
                }
            }
            """;
        ConfigurationSecretProvider sut = new(BuildConfigFromJson(jsonConfig));
        // act
        var keys = sut.GetKeys("master");
        // verify
        Assert.Equal(2, keys.Length);
        var active = keys.Single(k => k.Active);
        Assert.Equal(new Guid("5676d159-5495-4945-aa84-59ee694aa8a2"), active.Id.Id);
        Assert.Equal("AES", active.Algorithm);
        Assert.Equal(Convert.FromBase64String("yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="), active.Key);
        var inactive = keys.Single(k => !k.Active);
        Assert.Equal(new Guid("b82489e7-a05a-4d64-b9a5-58d2f2c0dc39"), inactive.Id.Id);
    }
 }
--- a/IdentityShroud.Core.Tests/Services/ClientServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/ClientServiceTests.cs
@ -0,0 +1,155 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Services;
 using IdentityShroud.Core.Tests.Fixtures;
 using IdentityShroud.TestUtils.Substitutes;
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Tests.Services;
 public class ClientServiceTests : IClassFixture<DbFixture>
 {
    private readonly DbFixture _dbFixture;
    private readonly NullDataEncryptionService _dataEncryptionService = new();
    private readonly IClock _clock = Substitute.For<IClock>();
    private readonly Guid _realmId = new("a1b2c3d4-0000-0000-0000-000000000001");
    public ClientServiceTests(DbFixture dbFixture)
    {
        _dbFixture = dbFixture;
        using Db db = dbFixture.CreateDbContext();
        if (!db.Database.EnsureCreated())
            TruncateTables(db);
        EnsureRealm(db);
    }
    private void TruncateTables(Db db)
    {
        db.Database.ExecuteSqlRaw("TRUNCATE client CASCADE;");
        db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
    }
    private void EnsureRealm(Db db)
    {
        if (!db.Realms.Any(r => r.Id == _realmId))
        {
            db.Realms.Add(new() { Id = _realmId, Slug = "test-realm", Name = "Test Realm" });
            db.SaveChanges();
        }
    }
    [Theory]
    [InlineData(false)]
    [InlineData(true)]
    public async Task Create(bool allowClientCredentialsFlow)
    {
        // Setup
        DateTime now = DateTime.UtcNow;
        _clock.UtcNow().Returns(now);
        Client val;
        await using (var db = _dbFixture.CreateDbContext())
        {
            // Act
            ClientService sut = new(db, _dataEncryptionService, _clock);
            var response = await sut.Create(
                _realmId,
                new ClientCreateRequest
                {
                    ClientId = "test-client",
                    Name = "Test Client",
                    Description = "A test client",
                    AllowClientCredentialsFlow = allowClientCredentialsFlow,
                },
                TestContext.Current.CancellationToken);
            // Verify
            val = ResultAssert.Success(response);
            Assert.Equal(_realmId, val.RealmId);
            Assert.Equal("test-client", val.ClientId);
            Assert.Equal("Test Client", val.Name);
            Assert.Equal("A test client", val.Description);
            Assert.Equal(allowClientCredentialsFlow, val.AllowClientCredentialsFlow);
            Assert.Equal(now, val.CreatedAt);
        }
        await using (var db = _dbFixture.CreateDbContext())
        {
            var dbRecord = await db.Clients
                .Include(e => e.Secrets)
                .SingleAsync(e => e.Id == val.Id, TestContext.Current.CancellationToken);
            if (allowClientCredentialsFlow)
                Assert.Single(dbRecord.Secrets);
            else
                Assert.Empty(dbRecord.Secrets);
        }
    }
    [Theory]
    [InlineData("existing-client", true)]
    [InlineData("missing-client", false)]
    public async Task GetByClientId(string clientId, bool shouldFind)
    {
        // Setup
        _clock.UtcNow().Returns(DateTime.UtcNow);
        await using (var setupContext = _dbFixture.CreateDbContext())
        {
            setupContext.Clients.Add(new()
            {
                RealmId = _realmId,
                ClientId = "existing-client",
                CreatedAt = DateTime.UtcNow,
            });
            await setupContext.SaveChangesAsync(TestContext.Current.CancellationToken);
        }
        await using var actContext = _dbFixture.CreateDbContext();
        // Act
        ClientService sut = new(actContext, _dataEncryptionService, _clock);
        Client? result = await sut.GetByClientId(_realmId, clientId, TestContext.Current.CancellationToken);
        // Verify
        if (shouldFind)
            Assert.NotNull(result);
        else
            Assert.Null(result);
    }
    [Theory]
    [InlineData(true)]
    [InlineData(false)]
    public async Task FindById(bool shouldFind)
    {
        // Setup
        _clock.UtcNow().Returns(DateTime.UtcNow);
        int existingId;
        await using (var setupContext = _dbFixture.CreateDbContext())
        {
            Client client = new()
            {
                RealmId = _realmId,
                ClientId = "find-by-id-client",
                CreatedAt = DateTime.UtcNow,
            };
            setupContext.Clients.Add(client);
            await setupContext.SaveChangesAsync(TestContext.Current.CancellationToken);
            existingId = client.Id;
        }
        int searchId = shouldFind ? existingId : existingId + 9999;
        await using var actContext = _dbFixture.CreateDbContext();
        // Act
        ClientService sut = new(actContext, _dataEncryptionService, _clock);
        Client? result = await sut.FindById(_realmId, searchId, TestContext.Current.CancellationToken);
        // Verify
        if (shouldFind)
            Assert.NotNull(result);
        else
            Assert.Null(result);
    }
 }
--- a/IdentityShroud.Core.Tests/Services/DataEncryptionServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/DataEncryptionServiceTests.cs
@ -0,0 +1,64 @@
 using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Services;
 using IdentityShroud.TestUtils.Substitutes;
 namespace IdentityShroud.Core.Tests.Services;
 public class DataEncryptionServiceTests
 {
    private readonly IRealmContext _realmContext = Substitute.For<IRealmContext>();
    private readonly IDekEncryptionService _dekCryptor = new NullDekEncryptionService();// Substitute.For<IDekEncryptionService>();
    private readonly DekId _activeDekId = DekId.NewId();
    private readonly DekId _secondDekId = DekId.NewId();
    private DataEncryptionService CreateSut()
        => new(_realmContext, _dekCryptor);
    [Fact]
    public void Encrypt_UsesActiveKey()
    {
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([
            CreateRealmDek(_secondDekId, false),
            CreateRealmDek(_activeDekId, true),
        ]);
        var cipher = CreateSut().Encrypt("Hello"u8);
        Assert.Equal(_activeDekId, cipher.DekId);
    }
    [Fact]
    public void Decrypt_UsesCorrectKey()
    {
        var first = CreateRealmDek(_activeDekId, true);
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first ]);
        var sut = CreateSut();
        var cipher = sut.Encrypt("Hello"u8);
        // Deactivate original key
        first.Active = false;
        // Make new active
        var second = CreateRealmDek(_secondDekId, true);
        // Return both
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first, second ]);
        var decoded = sut.Decrypt(cipher);
        Assert.Equal("Hello"u8, decoded);
    }
    private RealmDek CreateRealmDek(DekId id, bool active)
        => new()
        {
            Id = id,
            Active = active,
            Algorithm = "AES",
            KeyData = new(KekId.NewId(), RandomNumberGenerator.GetBytes(32)),
            RealmId = default,
        };
 }
--- a/IdentityShroud.Core.Tests/Services/DekEncryptionServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/DekEncryptionServiceTests.cs
@ -0,0 +1,123 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Services;
 namespace IdentityShroud.Core.Tests.Services;
 public class DekEncryptionServiceTests
 {
    [Fact]
    public void RoundtripWorks()
    {
        // Note this code will tend to only test the latest verion.
        // setup
        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
        var secretProvider = Substitute.For<ISecretProvider>();
        KeyEncryptionKey[] keys =
        [
            new KeyEncryptionKey(KekId.NewId(), true, "AES", keyValue)
        ];
        secretProvider.GetKeys("master").Returns(keys);
        ReadOnlySpan<byte> input = "Hello, World!"u8;
        // act
        DekEncryptionService sut = new(secretProvider);
        EncryptedDek cipher = sut.Encrypt(input.ToArray());
        byte[] result = sut.Decrypt(cipher);
        // verify
        Assert.Equal(input, result);
    }
    [Fact]
    public void DetectsCorruptInput()
    {
        // When introducing a new version we need version specific tests to 
        // make sure decoding of legacy data still works.
        KekId kid = KekId.NewId();
        // setup
        byte[] cipher = // NOTE INCORRECT CIPHER DO NOT USE IN OTHER TESTS
        [
            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
            193, 75, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
        ];
        EncryptedDek secret = new(kid, cipher);
        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
        var secretProvider = Substitute.For<ISecretProvider>();
        KeyEncryptionKey[] keys =
        [
            new KeyEncryptionKey(kid, true, "AES", keyValue)
        ];
        secretProvider.GetKeys("master").Returns(keys);
        // act
        DekEncryptionService sut = new(secretProvider);
        Assert.Throws<InvalidOperationException>(
            () => sut.Decrypt(secret),
            ex => ex.Message.Contains("Decryption failed") ? null : "Expected Decryption failed in message");
    }
    [Fact]
    public void DecodeSelectsRightKey()
    {
        // The key is marked inactive also it is the second key
        // setup
        KekId kid1 = KekId.NewId();
        KekId kid2 = KekId.NewId();
        byte[] cipher =
        [
            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
            193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
        ];
        EncryptedDek secret = new(kid1, cipher);
        byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
        byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
        var secretProvider = Substitute.For<ISecretProvider>();
        KeyEncryptionKey[] keys =
        [
            new KeyEncryptionKey(kid2, true, "AES", keyValue2),
            new KeyEncryptionKey(kid1, false, "AES", keyValue1),
        ];
        secretProvider.GetKeys("master").Returns(keys);
        // act
        DekEncryptionService sut = new(secretProvider);
        byte[] result = sut.Decrypt(secret);
        // verify
        Assert.Equal("Hello, World!"u8, result);
    }
    [Fact]
    public void EncryptionUsesActiveKey()
    {
        // setup
        KekId kid1 = KekId.NewId();
        KekId kid2 = KekId.NewId();
        byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
        byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
        var secretProvider = Substitute.For<ISecretProvider>();
        KeyEncryptionKey[] keys =
        [
            new KeyEncryptionKey(kid1, false, "AES", keyValue1),
            new KeyEncryptionKey(kid2, true, "AES", keyValue2),
        ];
        secretProvider.GetKeys("master").Returns(keys);
        ReadOnlySpan<byte> input = "Hello, World!"u8;
        // act
        DekEncryptionService sut = new(secretProvider);
        EncryptedDek cipher = sut.Encrypt(input.ToArray());
        // Verify
        Assert.Equal(kid2, cipher.KekId);
    }
 }
--- a/IdentityShroud.Core.Tests/Services/EncryptionServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/EncryptionServiceTests.cs
@ -1,26 +0,0 @@
 using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Services;
 namespace IdentityShroud.Core.Tests.Services;
 public class EncryptionServiceTests
 {
    [Fact]
    public void RoundtripWorks()
    {
        // setup
        string key = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
        var secretProvider = Substitute.For<ISecretProvider>();
        secretProvider.GetSecret("Master").Returns(key);
        EncryptionService sut = new(secretProvider);
        byte[] input = RandomNumberGenerator.GetBytes(16);
        // act
        var cipher = sut.Encrypt(input);
        var result = sut.Decrypt(cipher);
        Assert.Equal(input, result);
    }
 }
--- a/IdentityShroud.Core.Tests/Services/EncryptionTests.cs
+++ b/IdentityShroud.Core.Tests/Services/EncryptionTests.cs
@ -0,0 +1,30 @@
 using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Services;
 namespace IdentityShroud.Core.Tests.Services;
 public class EncryptionTests
 {
    [Fact]
    public void DecodeV1_Success()
    {
        // When introducing a new version we need version specific tests to 
        // make sure decoding of legacy data still works.
        // setup
        byte[] cipher =
        [
            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
            193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
        ];
        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
        // act
        byte[] result = Encryption.Decrypt(cipher, keyValue);
        // verify
        Assert.Equal("Hello, World!"u8, result);
    }
 }
--- a/IdentityShroud.Core.Tests/Services/RealmServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/RealmServiceTests.cs
@ -1,7 +1,9 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Security.Keys;
 using IdentityShroud.Core.Services;
 using IdentityShroud.Core.Tests.Fixtures;
 using IdentityShroud.TestUtils.Substitutes;
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Tests.Services;
@ -9,7 +11,7 @@ namespace IdentityShroud.Core.Tests.Services;
 public class RealmServiceTests : IClassFixture<DbFixture>
 {
    private readonly DbFixture _dbFixture;
-    private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
+    private readonly IKeyService _keyService = Substitute.For<IKeyService>();
    public RealmServiceTests(DbFixture dbFixture)
    {
@ -34,16 +36,25 @@ public class RealmServiceTests : IClassFixture<DbFixture>
        if (idString is not null)
            realmId = new(idString);
-        using Db db = _dbFixture.CreateDbContext();
+        RealmCreateResponse? val;
-        RealmService sut = new(db, _encryptionService);
+        await using (var db = _dbFixture.CreateDbContext())
        {
            _keyService.CreateKey(Arg.Any<KeyPolicy>())
                .Returns(new RealmKey() 
                { 
                    Id = Guid.NewGuid(), 
                    KeyType = "TST", 
                    Key = new(KekId.NewId(), [21]),
                    CreatedAt = DateTime.UtcNow
                });
            // Act
-        
+            RealmService sut = new(db, _keyService);
            var response = await sut.Create(
                new(realmId, "slug", "New realm"),
                TestContext.Current.CancellationToken);
            // Verify
-        RealmCreateResponse val = ResultAssert.Success(response);
+            val = ResultAssert.Success(response);
            if (realmId.HasValue)
                Assert.Equal(realmId, val.Id);
            else
@ -52,7 +63,16 @@ public class RealmServiceTests : IClassFixture<DbFixture>
            Assert.Equal("slug", val.Slug);
            Assert.Equal("New realm", val.Name);
-        // TODO verify data has been stored!
+            _keyService.Received().CreateKey(Arg.Any<KeyPolicy>());
        }
        await using (var db = _dbFixture.CreateDbContext())
        {
            var dbRecord = await db.Realms
                .Include(e => e.Keys)
                .SingleAsync(e => e.Id == val.Id, TestContext.Current.CancellationToken);
            Assert.Equal("TST", dbRecord.Keys[0].KeyType);
        }
    }
    [Theory]
@ -60,7 +80,7 @@ public class RealmServiceTests : IClassFixture<DbFixture>
    [InlineData("foo", "Foo")]
    public async Task FindBySlug(string slug, string? name)
    {
-        using (var setupContext = _dbFixture.CreateDbContext())
+        await using (var setupContext = _dbFixture.CreateDbContext())
        {
            setupContext.Realms.Add(new()
            {
@ -76,11 +96,48 @@ public class RealmServiceTests : IClassFixture<DbFixture>
            await setupContext.SaveChangesAsync(TestContext.Current.CancellationToken);
        }
-        using Db actContext = _dbFixture.CreateDbContext();
+        await using var actContext = _dbFixture.CreateDbContext();
        RealmService sut = new(actContext, _encryptionService);
        // Act
        RealmService sut = new(actContext, _keyService);
        var result = await sut.FindBySlug(slug, TestContext.Current.CancellationToken);
        // Verify
        Assert.Equal(name, result?.Name);
    }
    [Theory]
    [InlineData("b0423bba-2411-497b-a5b6-c5adf404b862", true)]
    [InlineData("65ac9dba-6d43-4fa4-b57f-133ed639fbcb", false)]
    public async Task FindById(string idString, bool shouldFind)
    {
        Guid id = new(idString);
        await using (var setupContext = _dbFixture.CreateDbContext())
        {
            setupContext.Realms.Add(new()
            {
                Id = new("b0423bba-2411-497b-a5b6-c5adf404b862"),
                Slug = "foo",
                Name = "Foo",
            });
            setupContext.Realms.Add(new()
            {
                Id = new("d4ffc7d0-7b2c-4f02-82b9-a74610435b0d"),
                Slug = "bar",
                Name = "Bar",
            });
            await setupContext.SaveChangesAsync(TestContext.Current.CancellationToken);
        }
        await using var actContext = _dbFixture.CreateDbContext();
        // Act
        RealmService sut = new(actContext, _keyService);
        Realm? result = await sut.FindById(id, TestContext.Current.CancellationToken);
        // Verify
        if (shouldFind)
            Assert.NotNull(result);
        else 
            Assert.Null(result);
    }
 }
--- a/IdentityShroud.Core.Tests/UnitTest1.cs
+++ b/IdentityShroud.Core.Tests/UnitTest1.cs
@ -2,7 +2,6 @@
 using System.Text;
 using System.Text.Json;
 using IdentityShroud.Core.DTO;
 using IdentityShroud.Core.Messages;
 using Microsoft.AspNetCore.WebUtilities;
 namespace IdentityShroud.Core.Tests;
@ -36,7 +35,6 @@ public class UnitTest1
            // Option 3: Generate a new key for testing
            rsa.KeySize = 2048;
            // Your already encoded header and payload
            string header = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJybVZ3TU5rM0o1WHlmMWhyS3NVbEVYN1BNUm42dlZKY0h3U3FYMUVQRnFJIn0";
            string payload = "eyJleHAiOjE3Njk5MzY5MDksImlhdCI6MTc2OTkzNjYwOSwianRpIjoiMjNiZDJmNjktODdhYi00YmM2LWE0MWQtZGZkNzkxNDc4ZDM0IiwiaXNzIjoiaHR0cHM6Ly9pYW0ua2Fzc2FjbG91ZC5ubC9hdXRoL3JlYWxtcy9tcGx1c2thc3NhIiwiYXVkIjpbImthc3NhLW1hbmFnZW1lbnQtc2VydmljZSIsImFwYWNoZTItaW50cmFuZXQtYXV0aCIsImFjY291bnQiXSwic3ViIjoiMDkzY2NmMTUtYzRhOS00YWI0LTk3MWYtZDVhMDIyMzZkODVhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXBvYmFja2VuZCIsInNpZCI6IjI2NmUyNjJiLTU5NjMtNDUyZi04ZTI3LWIwZTkzMjBkNTZkNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLW1wbHVza2Fzc2EiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVhbGVyLW1lZGV3ZXJrZXItcm9sZSIsIm1wbHVza2Fzc2EtbWVkZXdlcmtlci1yb2xlIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBhY2hlMi1pbnRyYW5ldC1hdXRoIjp7InJvbGVzIjpbImludHJhbmV0IiwicmVsZWFzZW5vdGVzX3dyaXRlIl19LCJrYXNzYS1tYW5hZ2VtZW50LXNlcnZpY2UiOnsicm9sZXMiOlsicG9zYWNjb3VudF9wYXNzd29yZHJlc2V0IiwiZHJhZnRfbGljZW5zZV93cml0ZSIsImxpY2Vuc2VfcmVhZCIsImtub3dsZWRnZUl0ZW1fcmVhZCIsIm1haWxpbmdfcmVhZCIsIm1wbHVzYXBpX3JlYWQiLCJkYXRhYmFzZV91c2VyX3dyaXRlIiwiZW52aXJvbm1lbnRfd3JpdGUiLCJna3NfYXV0aGNvZGVfcmVhZCIsImVtcGxveWVlX3JlYWQiLCJkYXRhYmFzZV91c2VyX3JlYWQiLCJhcGlhY2NvdW50X3Bhc3N3b3JkcmVzZXQiLCJtcGx1c2FwaV93cml0ZSIsImVudmlyb25tZW50X3JlYWQiLCJrbm93bGVkZ2VJdGVtX3dyaXRlIiwiZGF0YWJhc2VfdXNlcl9wYXNzd29yZF9yZWFkIiwibGljZW5zZV93cml0ZSIsImN1c3RvbWVyX3dyaXRlIiwiZGVhbGVyX3JlYWQiLCJlbXBsb3llZV93cml0ZSIsImRhdGFiYXNlX2NvbmZpZ3VyYXRpb25fd3JpdGUiLCJyZWxhdGlvbnNfcmVhZCIsImRhdGFiYXNlX3VzZXJfcGFzc3dvcmRfbXBsdXNfZW5jcnlwdGVkX3JlYWQiLCJkcmFmdF9saWNlbnNlX3JlYWQiLCJkYXRhYmFzZV9jb25maWd1cmF0aW9uX3JlYWQiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoia21zIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZGVhbGVySWQiOjEsIm5hbWUiOiJFZWxrZSBLbGVpbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImVlbGtlQGJvbHQubmwiLCJsb2NhbGUiOiJlbiIsImdpdmVuX25hbWUiOiJFZWxrZSIsImZhbWlseV9uYW1lIjoiS2xlaW4iLCJlbWFpbCI6ImVlbGtlQGJvbHQubmwiLCJlbXBsb3llZU51bWJlciI6NTR9";
@ -52,6 +50,15 @@ public class UnitTest1
            // Or generate complete JWT
            // string completeJwt = JwtSignatureGenerator.GenerateCompleteJwt(header, payload, rsa);
            // Console.WriteLine($"Complete JWT: {completeJwt}");
            rsa.ExportRSAPublicKey(); // PKCS#1
        }
        using (ECDsa dsa = ECDsa.Create())
        {
            dsa.ExportPkcs8PrivateKey();
            dsa.ExportSubjectPublicKeyInfo(); // x509
        }
    }        
 }
@ -67,9 +74,9 @@ public static class JwtReader
        return new JsonWebToken()
        {
            Header = JsonSerializer.Deserialize<JsonWebTokenHeader>(
-                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot))),
+                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot)))!,
            Payload = JsonSerializer.Deserialize<JsonWebTokenPayload>(
-                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1)))),
+                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1))))!,
            Signature = WebEncoders.Base64UrlDecode(jwt, secondDot + 1, jwt.Length - (secondDot + 1))
        };
    }
--- a/IdentityShroud.Core/Contracts/IClientService.cs
+++ b/IdentityShroud.Core/Contracts/IClientService.cs
@ -0,0 +1,14 @@
 using IdentityShroud.Core.Model;
 namespace IdentityShroud.Core.Contracts;
 public interface IClientService
 {
    Task<Result<Client>> Create(
        Guid realmId,
        ClientCreateRequest request, 
        CancellationToken ct = default);
    Task<Client?> GetByClientId(Guid realmId, string clientId, CancellationToken ct = default);
    Task<Client?> FindById(Guid realmId, int id, CancellationToken ct = default);
 }
--- a/IdentityShroud.Core/Contracts/IClock.cs
+++ b/IdentityShroud.Core/Contracts/IClock.cs
@ -0,0 +1,6 @@
 namespace IdentityShroud.Core.Contracts;
 public interface IClock
 {
    DateTime UtcNow();
 }
--- a/IdentityShroud.Core/Contracts/IDataEncryptionService.cs
+++ b/IdentityShroud.Core/Contracts/IDataEncryptionService.cs
@ -0,0 +1,9 @@
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.Core.Contracts;
 public interface IDataEncryptionService
 {
    EncryptedValue Encrypt(ReadOnlySpan<byte> plain);
    byte[] Decrypt(EncryptedValue input);
 }
--- a/IdentityShroud.Core/Contracts/IDekEncryptionService.cs
+++ b/IdentityShroud.Core/Contracts/IDekEncryptionService.cs
@ -0,0 +1,11 @@
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.Core.Contracts;
 public interface IDekEncryptionService
 {
    EncryptedDek Encrypt(ReadOnlySpan<byte> plain);
    byte[] Decrypt(EncryptedDek input);
 }
--- a/IdentityShroud.Core/Contracts/IEncryptionService.cs
+++ b/IdentityShroud.Core/Contracts/IEncryptionService.cs
@ -1,7 +0,0 @@
 namespace IdentityShroud.Core.Contracts;
 public interface IEncryptionService
 {
    byte[] Encrypt(byte[] plain);
    byte[] Decrypt(byte[] cipher);
 }
--- a/IdentityShroud.Core/Contracts/IKeyService.cs
+++ b/IdentityShroud.Core/Contracts/IKeyService.cs
@ -0,0 +1,12 @@
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security.Keys;
 namespace IdentityShroud.Core.Contracts;
 public interface IKeyService
 {
    RealmKey CreateKey(KeyPolicy policy);
    JsonWebKey? CreateJsonWebKey(RealmKey realmKey);
 }
--- a/IdentityShroud.Core/Contracts/IRealmContext.cs
+++ b/IdentityShroud.Core/Contracts/IRealmContext.cs
@ -0,0 +1,9 @@
 using IdentityShroud.Core.Model;
 namespace IdentityShroud.Core.Contracts;
 public interface IRealmContext
 {
    public Realm GetRealm();
    Task<IList<RealmDek>> GetDeks(CancellationToken ct = default);
 }
--- a/IdentityShroud.Core/Contracts/IRealmService.cs
+++ b/IdentityShroud.Core/Contracts/IRealmService.cs
@ -1,12 +1,15 @@
 using IdentityShroud.Core.Messages.Realm;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Services;
-namespace IdentityShroud.Core.Services;
+namespace IdentityShroud.Core.Contracts;
 public interface IRealmService
 {
    Task<Realm?> FindById(Guid id, CancellationToken ct = default);
    Task<Realm?> FindBySlug(string slug, CancellationToken ct = default);
    Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default);
    Task LoadActiveKeys(Realm realm);
    Task LoadDeks(Realm realm);
 }
--- a/IdentityShroud.Core/Contracts/ISecretProvider.cs
+++ b/IdentityShroud.Core/Contracts/ISecretProvider.cs
@ -1,6 +1,14 @@
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.Core.Contracts;
 public interface ISecretProvider
 {
    string GetSecret(string name);
    /// <summary>
    /// Should return one active key, might return inactive keys.
    /// </summary>
    /// <returns></returns>
    KeyEncryptionKey[] GetKeys(string name);
 }
--- a/IdentityShroud.Core/DTO/Client/ClientCreateRequest.cs
+++ b/IdentityShroud.Core/DTO/Client/ClientCreateRequest.cs
@ -0,0 +1,10 @@
 namespace IdentityShroud.Core.Contracts;
 public class ClientCreateRequest
 {
    public required string ClientId { get; set; }
    public string? Name { get; set; }
    public string? Description { get; set; }
    public string? SignatureAlgorithm { get; set; }
    public bool? AllowClientCredentialsFlow { get; set; }
 }
--- a/IdentityShroud.Api/Apis/DTO/JsonWebKey.cs
+++ b/IdentityShroud.Api/Apis/DTO/JsonWebKey.cs
@ -1,4 +1,5 @@
 using System.Text.Json.Serialization;
 using IdentityShroud.Core.Helpers;
 namespace IdentityShroud.Core.Messages;
@ -25,17 +26,24 @@ public class JsonWebKey
    // RSA Public Key Components
    [JsonPropertyName("n")]
-    public required string Modulus { get; set; }
+    public string? Modulus { get; set; }
    [JsonPropertyName("e")]
-    public required string Exponent { get; set; }
+    public string? Exponent { get; set; }
    // ECdsa
    public string? Curve { get; set; }
    [JsonConverter(typeof(Base64UrlConverter))]
    public byte[]? X { get; set; }
    [JsonConverter(typeof(Base64UrlConverter))]
    public byte[]? Y { get; set; }
    // Optional fields
-    [JsonPropertyName("x5c")]
+    // [JsonPropertyName("x5c")]
-    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    // [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
-    public List<string>? X509CertificateChain { get; set; }
+    // public List<string>? X509CertificateChain { get; set; }
-    
+    //
-    [JsonPropertyName("x5t")]
+    // [JsonPropertyName("x5t")]
-    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    // [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
-    public string? X509CertificateThumbprint { get; set; }    
+    // public string? X509CertificateThumbprint { get; set; }    
 }
--- a/IdentityShroud.Api/Apis/DTO/JsonWebKeySet.cs
+++ b/IdentityShroud.Api/Apis/DTO/JsonWebKeySet.cs
--- a/IdentityShroud.Core/Db.cs
+++ b/IdentityShroud.Core/Db.cs
@ -1,5 +1,7 @@
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@ -16,8 +18,43 @@ public class Db(
    ILoggerFactory? loggerFactory) 
    : DbContext
 {
    public virtual DbSet<Client> Clients { get; set; }
    public virtual DbSet<Realm> Realms { get; set; }
-    public virtual DbSet<Key> Keys { get; set; }
+    public virtual DbSet<RealmKey> Keys { get; set; }
    public virtual DbSet<RealmDek> Deks { get; set; }
    protected override void OnModelCreating(ModelBuilder modelBuilder)
    {
        var dekIdConverter = new ValueConverter<DekId, Guid>(
            id => id.Id,
            guid => new DekId(guid));
        var kekIdConverter = new ValueConverter<KekId, Guid>(
            id => id.Id,
            guid => new KekId(guid));
        modelBuilder.Entity<RealmDek>()
            .Property(d => d.Id)
            .HasConversion(dekIdConverter);
        modelBuilder.Entity<RealmDek>()
            .OwnsOne(d => d.KeyData, keyData =>
            {
                keyData.Property(k => k.KekId).HasConversion(kekIdConverter);
            });
        modelBuilder.Entity<RealmKey>()
            .OwnsOne(k => k.Key, key =>
            {
                key.Property(k => k.KekId).HasConversion(kekIdConverter);
            });
        modelBuilder.Entity<ClientSecret>()
            .OwnsOne(c => c.Secret, secret =>
            {
                secret.Property(s => s.DekId).HasConversion(dekIdConverter);
            });
    }
    protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
    {
--- a/IdentityShroud.Core/Helpers/Base64UrlConverter.cs
+++ b/IdentityShroud.Core/Helpers/Base64UrlConverter.cs
@ -0,0 +1,28 @@
 using System.Buffers;
 using System.Buffers.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 namespace IdentityShroud.Core.Helpers;
 public class Base64UrlConverter : JsonConverter<byte[]>
 {
    public override byte[] Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
    {
        // GetValueSpan gives you the raw UTF-8 bytes of the JSON string value
        if (reader.HasValueSequence)
        {
            var valueSequence = reader.ValueSequence.ToArray();
            return Base64Url.DecodeFromUtf8(valueSequence);
        }
        return Base64Url.DecodeFromUtf8(reader.ValueSpan);
    }
    public override void Write(Utf8JsonWriter writer, byte[] value, JsonSerializerOptions options)
    {
        int encodedLength = Base64Url.GetEncodedLength(value.Length);
        Span<byte> buffer = encodedLength <= 256 ? stackalloc byte[encodedLength] : new byte[encodedLength];
        Base64Url.EncodeToUtf8(value, buffer);
        writer.WriteStringValue(buffer);
    }
 }
--- a/IdentityShroud.Core/Helpers/SlugHelper.cs
+++ b/IdentityShroud.Core/Helpers/SlugHelper.cs
@ -1,4 +1,3 @@
 using System;
 using System.Globalization;
 using System.Security.Cryptography;
 using System.Text;
--- a/IdentityShroud.Core/IdentityShroud.Core.csproj
+++ b/IdentityShroud.Core/IdentityShroud.Core.csproj
@ -11,7 +11,10 @@
      <PackageReference Include="FluentResults" Version="4.0.0" />
      <PackageReference Include="FluentValidation" Version="12.1.1" />
      <PackageReference Include="jose-jwt" Version="5.2.0" />
      <PackageReference Include="LanguageExt.Core" Version="4.4.9" />
      <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.3.9" />
      <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
      <PackageReference Include="Microsoft.AspNetCore.WebUtilities" Version="10.0.2" />
      <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
    </ItemGroup>
@ -19,10 +22,4 @@
        <Using Include="FluentResults" />
    </ItemGroup>
    <ItemGroup>
      <Reference Include="Microsoft.AspNetCore.WebUtilities">
        <HintPath>..\..\..\.nuget\packages\microsoft.aspnetcore.webutilities\10.0.2\lib\net10.0\Microsoft.AspNetCore.WebUtilities.dll</HintPath>
      </Reference>
    </ItemGroup>
 </Project>
--- a/IdentityShroud.Core/Model/Client.cs
+++ b/IdentityShroud.Core/Model/Client.cs
@ -1,11 +1,29 @@
-using IdentityShroud.Core.Security;
+using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Model;
 [Table("client")]
 [Index(nameof(ClientId), IsUnique = true)]
 public class Client
 {
-    public Guid Id { get; set; }
+    [Key]
-    public string Name { get; set; }
+    public int Id { get; set; }
    public Guid RealmId { get; set; }
    [MaxLength(40)]
    public required string ClientId { get; set; }
    [MaxLength(80)]
    public string? Name { get; set; }
    [MaxLength(2048)]
    public string? Description { get; set; }
-    public string? SignatureAlgorithm { get; set; } = JsonWebAlgorithm.RS256;
+    [MaxLength(20)]
    public string? SignatureAlgorithm { get; set; }
    public bool AllowClientCredentialsFlow { get; set; } = false;
    public required DateTime CreatedAt { get; set; }
    public List<ClientSecret> Secrets { get; set; } = [];
 }
--- a/IdentityShroud.Core/Model/ClientSecret.cs
+++ b/IdentityShroud.Core/Model/ClientSecret.cs
@ -0,0 +1,17 @@
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.Core.Model;
 [Table("client_secret")]
 public class ClientSecret
 {
    [Key]
    public int Id { get; set; }
    public Guid ClientId { get; set; }
    public DateTime CreatedAt { get; set; }
    public DateTime? RevokedAt { get; set; }
    public required EncryptedValue Secret { get; set; }
 }
--- a/IdentityShroud.Core/Model/Key.cs
+++ b/IdentityShroud.Core/Model/Key.cs
@ -1,45 +0,0 @@
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Contracts;
 namespace IdentityShroud.Core.Model;
 [Table("key")]
 public class Key
 {
    private byte[] _privateKeyDecrypted = [];
    public Guid Id { get; set; }
    public DateTime CreatedAt { get; set; }
    public DateTime? DeactivatedAt { get; set; }
    /// <summary>
    /// Key with highest priority will be used. While there is not really a use case for this I know some users
    /// are more comfortable replacing keys by using priority then directly deactivating the old key.
    /// </summary>
    public int Priority { get; set; } = 10;
    public byte[] PrivateKeyEncrypted
    {
        get;
        set
        {
            field = value;
            _privateKeyDecrypted = [];
        }
    } = [];
    public byte[] GetPrivateKey(IEncryptionService encryptionService)
    {
        if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
            _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
        return _privateKeyDecrypted;
    }
    public void SetPrivateKey(IEncryptionService encryptionService, byte[] privateKey)
    {
        PrivateKeyEncrypted = encryptionService.Encrypt(privateKey);
        _privateKeyDecrypted = privateKey;
    }
 }
--- a/IdentityShroud.Core/Model/Realm.cs
+++ b/IdentityShroud.Core/Model/Realm.cs
@ -1,7 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Security;
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Model;
@ -20,11 +19,22 @@ public class Realm
    public string Name { get; set; } = "";
    public List<Client> Clients { get; init; } = [];
-    public List<Key> Keys { get; init; } = [];
+    public List<RealmKey> Keys { get; init; } = [];
    public List<RealmDek> Deks { get; init; } = [];
    /// <summary>
    /// Can be overriden per client
    /// </summary>
    public string DefaultSignatureAlgorithm { get; set; } = JsonWebAlgorithm.RS256;
-    
+}
 [Table("realm_dek")]
 public record RealmDek
 {
    public required DekId Id { get; init; }
    public required bool Active { get; set; }
    public required string Algorithm { get; init; }
    public required EncryptedDek KeyData { get; init; }
    public required Guid RealmId { get; init; }
 }
--- a/IdentityShroud.Core/Model/RealmKey.cs
+++ b/IdentityShroud.Core/Model/RealmKey.cs
@ -0,0 +1,27 @@
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Model;
 [Table("realm_key")]
 public record RealmKey
 {
    public required Guid Id { get; init; }
    public required string KeyType { get; init; }
    public required EncryptedDek Key { get; init; }
    public required DateTime CreatedAt { get; init; }
    public DateTime? RevokedAt { get; set; }
    /// <summary>
    /// Key with highest priority will be used. While there is not really a use case for this I know some users
    /// are more comfortable replacing keys by using priority then directly deactivating the old key.
    /// </summary>
    public int Priority { get; set; } = 10;
 }
--- a/IdentityShroud.Core/Security/AesGcmHelper.cs
+++ b/IdentityShroud.Core/Security/AesGcmHelper.cs
@ -1,71 +0,0 @@
 using System.Security.Cryptography;
 namespace IdentityShroud.Core.Security;
 public static class AesGcmHelper
 {
    public static byte[] EncryptAesGcm(byte[] plaintext, byte[] key)
    {
        int tagSize = AesGcm.TagByteSizes.MaxSize;
        using var aes = new AesGcm(key, tagSize);
        Span<byte> nonce = stackalloc byte[AesGcm.NonceByteSizes.MaxSize];
        RandomNumberGenerator.Fill(nonce);
        Span<byte> ciphertext = stackalloc byte[plaintext.Length];
        Span<byte> tag = stackalloc byte[tagSize];
        aes.Encrypt(nonce, plaintext, ciphertext, tag);
        // Return concatenated nonce|ciphertext|tag
        var result = new byte[nonce.Length + ciphertext.Length + tag.Length];
        nonce.CopyTo(result.AsSpan(0, nonce.Length));
        ciphertext.CopyTo(result.AsSpan(nonce.Length, ciphertext.Length));
        tag.CopyTo(result.AsSpan(nonce.Length + ciphertext.Length, tag.Length));
        return result;
    }
    // --------------------------------------------------------------------
    // DecryptAesGcm
    //   • key      – 32‑byte (256‑bit) secret key (same key used for encryption)
    //   • payload  – byte[] containing nonce‖ciphertext‖tag
    //   • returns  – the original plaintext bytes
    // --------------------------------------------------------------------
    public static byte[] DecryptAesGcm(byte[] payload, byte[] key)
    {
        if (payload == null) throw new ArgumentNullException(nameof(payload));
        if (key == null)     throw new ArgumentNullException(nameof(key));
        if (key.Length != 32) // 256‑bit key
            throw new ArgumentException("Key must be 256 bits (32 bytes) for AES‑256‑GCM.", nameof(key));
        // ----------------------------------------------------------------
        // 1️⃣ Extract the three components.
        // ----------------------------------------------------------------
        // AesGcm.NonceByteSizes.MaxSize = 12 bytes (standard GCM nonce length)
        // AesGcm.TagByteSizes.MaxSize   = 16 bytes (128‑bit authentication tag)
        int nonceSize = AesGcm.NonceByteSizes.MaxSize; // 12
        int tagSize   = AesGcm.TagByteSizes.MaxSize;   // 16
        if (payload.Length < nonceSize + tagSize)
            throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
        ReadOnlySpan<byte> nonce = new(payload, 0, nonceSize);
        ReadOnlySpan<byte> ciphertext = new(payload, nonceSize, payload.Length - nonceSize - tagSize);
        ReadOnlySpan<byte> tag = new(payload, payload.Length - tagSize, tagSize);
        byte[] plaintext = new byte[ciphertext.Length];
        using var aes = new AesGcm(key, tagSize);
        try
        {
            aes.Decrypt(nonce, ciphertext, tag, plaintext);
        }
        catch (CryptographicException ex)
        {
            // Tag verification failed → tampering or wrong key/nonce.
            throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
        }
        return plaintext;
    }
 }
--- a/IdentityShroud.Core/Security/ConfigurationSecretProvider.cs
+++ b/IdentityShroud.Core/Security/ConfigurationSecretProvider.cs
@ -14,4 +14,9 @@ public class ConfigurationSecretProvider(IConfiguration configuration) : ISecret
    {
        return secrets.GetValue<string>(name) ?? "";
    }
    public KeyEncryptionKey[] GetKeys(string name)
    {
        return secrets.GetSection(name).Get<KeyEncryptionKey[]>() ?? [];
    }
 }
--- a/IdentityShroud.Core/Security/DekId.cs
+++ b/IdentityShroud.Core/Security/DekId.cs
@ -0,0 +1,6 @@
 namespace IdentityShroud.Core.Security;
 public record struct DekId(Guid Id)
 {
    public static DekId NewId() => new(Guid.NewGuid());
 }
--- a/IdentityShroud.Core/Security/EncryptedDek.cs
+++ b/IdentityShroud.Core/Security/EncryptedDek.cs
@ -0,0 +1,6 @@
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Security;
 [Owned]
 public record EncryptedDek(KekId KekId, byte[] Value);
--- a/IdentityShroud.Core/Security/EncryptedValue.cs
+++ b/IdentityShroud.Core/Security/EncryptedValue.cs
@ -0,0 +1,8 @@
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Security;
 [Owned]
 public record EncryptedValue(DekId DekId, byte[] Value);
--- a/IdentityShroud.Core/Security/Encryption.cs
+++ b/IdentityShroud.Core/Security/Encryption.cs
@ -0,0 +1,70 @@
 using System.Security.Cryptography;
 namespace IdentityShroud.Core.Security;
 public static class Encryption
 {
    private record struct AlgVersion(int Version, int NonceSize, int TagSize);
    private static AlgVersion[] _versions = 
    [
        new(0, 0, 0), // version 0 does not realy exist
        new(1, 12, 16), // version 1
    ];
    public static byte[] Encrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> key)
    {
        const int versionNumber = 1; 
        AlgVersion versionParams = _versions[versionNumber];
        int resultSize = 1 + versionParams.NonceSize + versionParams.TagSize + plaintext.Length;
        // allocate buffer for complete response 
        var result = new byte[resultSize];
        result[0] = (byte)versionParams.Version;
        // make the spans that point to the parts of the result where their data is located
        var nonce = result.AsSpan(1, versionParams.NonceSize); 
        var tag = result.AsSpan(1 + versionParams.NonceSize, versionParams.TagSize);
        var cipher = result.AsSpan(1 + versionParams.NonceSize + versionParams.TagSize);
        // use the spans to place the data directly in its place
        RandomNumberGenerator.Fill(nonce);
        using var aes = new AesGcm(key, versionParams.TagSize);
        aes.Encrypt(nonce, plaintext, cipher, tag);
        return result;
    }
    public static byte[] Decrypt(ReadOnlyMemory<byte> input, ReadOnlySpan<byte> key)
    {
        var payload = input.Span;
        int versionNumber = (int)payload[0];
        if (versionNumber != 1)
            throw new ArgumentException("Invalid payload");
        AlgVersion versionParams = _versions[versionNumber];
        if (payload.Length < 1 + versionParams.NonceSize + versionParams.TagSize)
            throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
        ReadOnlySpan<byte> nonce = payload.Slice(1, versionParams.NonceSize);
        ReadOnlySpan<byte> tag = payload.Slice(1 + versionParams.NonceSize, versionParams.TagSize);
        ReadOnlySpan<byte> cipher = payload.Slice(1 + versionParams.NonceSize + versionParams.TagSize);
        byte[] plaintext = new byte[cipher.Length];
        using var aes = new AesGcm(key, versionParams.TagSize);
        try
        {
            aes.Decrypt(nonce, cipher, tag, plaintext);
        }
        catch (CryptographicException ex)
        {
            // Tag verification failed → tampering or wrong key/nonce.
            throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
        }
        return plaintext;
    }
 }
--- a/IdentityShroud.Core/Security/JsonWebAlgorithm.cs
+++ b/IdentityShroud.Core/Security/JsonWebAlgorithm.cs
@ -1,5 +1,3 @@
 using System.Security.Cryptography;
 namespace IdentityShroud.Core.Security;
 public static class JsonWebAlgorithm
--- a/IdentityShroud.Core/Security/KekId.cs
+++ b/IdentityShroud.Core/Security/KekId.cs
@ -0,0 +1,41 @@
 using System.ComponentModel;
 using System.Globalization;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 namespace IdentityShroud.Core.Security;
 [JsonConverter(typeof(KekIdJsonConverter))]
 [TypeConverter(typeof(KekIdTypeConverter))]
 public readonly record struct KekId
 {
    public Guid Id { get; } 
    public KekId(Guid id)
    {
        Id = id;
    }
    public static KekId NewId()
    {
        return new KekId(Guid.NewGuid());
    }
 }
 public class KekIdJsonConverter : JsonConverter<KekId>
 {
    public override KekId Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
        => new KekId(reader.GetGuid());
    public override void Write(Utf8JsonWriter writer, KekId value, JsonSerializerOptions options)
        => writer.WriteStringValue(value.Id);
 }
 public class KekIdTypeConverter : TypeConverter
 {
    public override bool CanConvertFrom(ITypeDescriptorContext? context, Type sourceType)
        => sourceType == typeof(string) || base.CanConvertFrom(context, sourceType);
    public override object? ConvertFrom(ITypeDescriptorContext? context, CultureInfo? culture, object value)
        => value is string s ? new KekId(Guid.Parse(s)) : base.ConvertFrom(context, culture, value);
 }
--- a/IdentityShroud.Core/Security/KeyEncryptionKey.cs
+++ b/IdentityShroud.Core/Security/KeyEncryptionKey.cs
@ -0,0 +1,10 @@
 namespace IdentityShroud.Core.Security;
 /// <summary>
 /// Contains a KEK and associated relevant data. This structure
 /// </summary>
 /// <param name="Id"></param>
 /// <param name="Active"></param>
 /// <param name="Algorithm"></param>
 /// <param name="Key"></param>
 public record KeyEncryptionKey(KekId Id, bool Active, string Algorithm, byte[] Key);
--- a/IdentityShroud.Core/Security/Keys/IKeyProvider.cs
+++ b/IdentityShroud.Core/Security/Keys/IKeyProvider.cs
@ -0,0 +1,19 @@
 using IdentityShroud.Core.Messages;
 namespace IdentityShroud.Core.Security.Keys;
 public abstract class KeyPolicy
 {
    public abstract string KeyType { get; }
 }
 public interface IKeyProvider
 {
    byte[] CreateKey(KeyPolicy policy);
    void SetJwkParameters(byte[] key, JsonWebKey jwk);
 }
--- a/IdentityShroud.Core/Security/Keys/IKeyProviderFactory.cs
+++ b/IdentityShroud.Core/Security/Keys/IKeyProviderFactory.cs
@ -0,0 +1,7 @@
 namespace IdentityShroud.Core.Security.Keys;
 public interface IKeyProviderFactory
 {
    public IKeyProvider CreateProvider(string keyType);
 }
--- a/IdentityShroud.Core/Security/Keys/KeyProviderFactory.cs
+++ b/IdentityShroud.Core/Security/Keys/KeyProviderFactory.cs
@ -0,0 +1,17 @@
 using IdentityShroud.Core.Security.Keys.Rsa;
 namespace IdentityShroud.Core.Security.Keys;
 public class KeyProviderFactory : IKeyProviderFactory
 {
    public IKeyProvider CreateProvider(string keyType)
    {
        switch (keyType)
        {
            case "RSA":
                return new RsaProvider();
            default:
                throw new NotImplementedException();
        }
    }
 }
--- a/IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs
+++ b/IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs
@ -0,0 +1,35 @@
 using System.Buffers.Text;
 using System.Security.Cryptography;
 using IdentityShroud.Core.Messages;
 namespace IdentityShroud.Core.Security.Keys.Rsa;
 public class RsaKeyPolicy : KeyPolicy
 {
    public override string KeyType => "RSA";
    public int KeySize { get; } = 2048;
 }
 public class RsaProvider : IKeyProvider
 {
    public byte[] CreateKey(KeyPolicy policy)
    {
        if (policy is RsaKeyPolicy p)
        {
            using var rsa = RSA.Create(p.KeySize);
            return rsa.ExportPkcs8PrivateKey();
        }
        throw new ArgumentException("Incorrect policy type", nameof(policy));
    }
    public void SetJwkParameters(byte[] key, JsonWebKey jwk)
    {
        using var rsa = RSA.Create();
        rsa.ImportPkcs8PrivateKey(key, out _);
        var parameters = rsa.ExportParameters(includePrivateParameters: false);
        jwk.Exponent = Base64Url.EncodeToString(parameters.Exponent);
        jwk.Modulus = Base64Url.EncodeToString(parameters.Modulus);
    }
 }
--- a/IdentityShroud.Core/Security/RsaHelper.cs
+++ b/IdentityShroud.Core/Security/RsaHelper.cs
@ -1,16 +0,0 @@
 using System.Security.Cryptography;
 namespace IdentityShroud.Core.Security;
 public static class RsaHelper
 {
    /// <summary>
    /// Load RSA private key from PKCS#8 format
    /// </summary>
    public static RSA LoadFromPkcs8(byte[] pkcs8Key)
    {
        var rsa = RSA.Create();
        rsa.ImportPkcs8PrivateKey(pkcs8Key, out _);
        return rsa;
    }
 }
--- a/IdentityShroud.Core/Services/ClientService.cs
+++ b/IdentityShroud.Core/Services/ClientService.cs
@ -0,0 +1,65 @@
 using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Services;
 public class ClientService(
    Db db,
    IDataEncryptionService cryptor,
    IClock clock) : IClientService
 {
    public async Task<Result<Client>> Create(Guid realmId, ClientCreateRequest request, CancellationToken ct = default)
    {
        Client client = new()
        {
            RealmId = realmId,
            ClientId = request.ClientId,
            Name = request.Name,
            Description = request.Description,
            SignatureAlgorithm = request.SignatureAlgorithm,
            AllowClientCredentialsFlow = request.AllowClientCredentialsFlow ?? false,
            CreatedAt = clock.UtcNow(),
        };
        if (client.AllowClientCredentialsFlow)
        {
            client.Secrets.Add(CreateSecret());
        }
        await db.AddAsync(client, ct);
        await db.SaveChangesAsync(ct);
        return client;
    }
    public async Task<Client?> GetByClientId(
        Guid realmId,
        string clientId, 
        CancellationToken ct = default)
    {
        return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId && c.RealmId == realmId, ct);
    }
    public async Task<Client?> FindById(
        Guid realmId,
        int id, 
        CancellationToken ct = default)
    {
        return await db.Clients.FirstOrDefaultAsync(c => c.Id == id && c.RealmId == realmId, ct);
    }
    private ClientSecret CreateSecret()
    {
        Span<byte> secret = stackalloc byte[24];
        RandomNumberGenerator.Fill(secret);
        return new ClientSecret()
        {
            CreatedAt = clock.UtcNow(),
            Secret = cryptor.Encrypt(secret.ToArray()),
        };
    }
 }
--- a/IdentityShroud.Core/Services/ClockService.cs
+++ b/IdentityShroud.Core/Services/ClockService.cs
@ -0,0 +1,11 @@
 using IdentityShroud.Core.Contracts;
 namespace IdentityShroud.Core.Services;
 public class ClockService : IClock
 {
    public DateTime UtcNow()
    {
        return DateTime.UtcNow;
    }
 }
--- a/IdentityShroud.Core/Services/DataEncryptionService.cs
+++ b/IdentityShroud.Core/Services/DataEncryptionService.cs
@ -0,0 +1,41 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.Core.Services;
 public class DataEncryptionService(
    IRealmContext realmContext,
    IDekEncryptionService dekCryptor) : IDataEncryptionService
 {
    // Note this array is expected to have one item in it most of the during key rotation it will have two
    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
    private IList<RealmDek>? _deks = null;
    private IList<RealmDek> GetDeks()
    {
        if (_deks is null)
            _deks = realmContext.GetDeks().Result;
        return _deks;
    }
    private RealmDek GetActiveDek() => GetDeks().Single(d => d.Active);
    private RealmDek GetKey(DekId id) => GetDeks().Single(d => d.Id == id);
    public byte[] Decrypt(EncryptedValue input)
    {
        var dek = GetKey(input.DekId);
        var key = dekCryptor.Decrypt(dek.KeyData);
        return Encryption.Decrypt(input.Value, key);
    }
    public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
    {
        var dek = GetActiveDek();
        var key = dekCryptor.Decrypt(dek.KeyData);
        byte[] cipher = Encryption.Encrypt(plain, key);
        return new (dek.Id, cipher);
    }
 }
--- a/IdentityShroud.Core/Services/DekEncryptionService.cs
+++ b/IdentityShroud.Core/Services/DekEncryptionService.cs
@ -0,0 +1,38 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.Core.Services;
 /// <summary>
 /// 
 /// </summary>
 public class DekEncryptionService : IDekEncryptionService
 {
    // Note this array is expected to have one item in it most of the during key rotation it will have two
    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
    private readonly KeyEncryptionKey[] _encryptionKeys;
    private KeyEncryptionKey ActiveKey => _encryptionKeys.Single(k => k.Active);
    private KeyEncryptionKey GetKey(KekId keyId) => _encryptionKeys.Single(k => k.Id == keyId);
    public DekEncryptionService(ISecretProvider secretProvider)
    {
        _encryptionKeys = secretProvider.GetKeys("master");
        // if (_encryptionKey.Length != 32) // 256‑bit key
        //     throw new Exception("Key must be 256 bits (32 bytes) for AES‑256‑GCM.");
    }
    public EncryptedDek Encrypt(ReadOnlySpan<byte> plaintext)
    {
        var encryptionKey = ActiveKey;
        byte[] cipher = Encryption.Encrypt(plaintext, encryptionKey.Key);
        return new (encryptionKey.Id, cipher);
    }
    public byte[] Decrypt(EncryptedDek input)
    {
        var encryptionKey = GetKey(input.KekId);
        return Encryption.Decrypt(input.Value, encryptionKey.Key);
    }
 }
--- a/IdentityShroud.Core/Services/EncryptionService.cs
+++ b/IdentityShroud.Core/Services/EncryptionService.cs
@ -1,27 +0,0 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.Core.Services;
 /// <summary>
 /// 
 /// </summary>
 public class EncryptionService : IEncryptionService
 {
    private readonly byte[] encryptionKey;
    public EncryptionService(ISecretProvider secretProvider)
    {
        encryptionKey = Convert.FromBase64String(secretProvider.GetSecret("Master"));
    }
    public byte[] Encrypt(byte[] plain)
    {
        return AesGcmHelper.EncryptAesGcm(plain, encryptionKey);
    }
    public byte[] Decrypt(byte[] cipher)
    {
        return AesGcmHelper.DecryptAesGcm(cipher, encryptionKey);
    }
 }
--- a/IdentityShroud.Core/Services/KeyService.cs
+++ b/IdentityShroud.Core/Services/KeyService.cs
@ -0,0 +1,46 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security.Keys;
 namespace IdentityShroud.Core.Services;
 public class KeyService(
    IDekEncryptionService cryptor,
    IKeyProviderFactory keyProviderFactory,
    IClock clock) : IKeyService
 {
    public RealmKey CreateKey(KeyPolicy policy)
    {
        IKeyProvider provider = keyProviderFactory.CreateProvider(policy.KeyType);
        var plainKey = provider.CreateKey(policy);
        return CreateKey(policy.KeyType, plainKey);
    }
    public JsonWebKey? CreateJsonWebKey(RealmKey realmKey)
    {
        JsonWebKey jwk = new()
        {
            KeyId = realmKey.Id.ToString(),
            KeyType = realmKey.KeyType,
            Use = "sig",
        };
        IKeyProvider provider = keyProviderFactory.CreateProvider(realmKey.KeyType);
        provider.SetJwkParameters(
            cryptor.Decrypt(realmKey.Key),
            jwk);
        return jwk;
    }
    private RealmKey CreateKey(string keyType, byte[] plainKey) =>
        new RealmKey()
            {
                Id = Guid.NewGuid(),
                KeyType = keyType,
                Key = cryptor.Encrypt(plainKey),
                CreatedAt = clock.UtcNow(),
            };
 }
--- a/IdentityShroud.Core/Services/RealmContext.cs
+++ b/IdentityShroud.Core/Services/RealmContext.cs
@ -0,0 +1,26 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
 using Microsoft.AspNetCore.Http;
 namespace IdentityShroud.Core.Services;
 public class RealmContext(
    IHttpContextAccessor accessor,
    IRealmService realmService) : IRealmContext
 {
    public Realm GetRealm()
    {
        return (Realm)accessor.HttpContext.Items["RealmEntity"];
    }
    public async Task<IList<RealmDek>> GetDeks(CancellationToken ct = default)
    {
        Realm realm = GetRealm();
        if (realm.Deks.Count == 0)
        {
            await realmService.LoadDeks(realm);
        }
        return realm.Deks;
    }
 }
--- a/IdentityShroud.Core/Services/RealmService.cs
+++ b/IdentityShroud.Core/Services/RealmService.cs
@ -1,8 +1,9 @@
 using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Helpers;
 using IdentityShroud.Core.Messages.Realm;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security.Keys;
 using IdentityShroud.Core.Security.Keys.Rsa;
 using Microsoft.EntityFrameworkCore;
 namespace IdentityShroud.Core.Services;
@ -11,8 +12,14 @@ public record RealmCreateResponse(Guid Id, string Slug, string Name);
 public class RealmService(
    Db db,
-    IEncryptionService encryptionService) : IRealmService
+    IKeyService keyService) : IRealmService
 {
    public async Task<Realm?> FindById(Guid id, CancellationToken ct = default)
    {
        return await db.Realms
            .SingleOrDefaultAsync(r => r.Id == id, ct);
    }
    public async Task<Realm?> FindBySlug(string slug, CancellationToken ct = default)
    {
        return await db.Realms
@ -26,9 +33,10 @@ public class RealmService(
            Id = request.Id ?? Guid.CreateVersion7(),
            Slug = request.Slug ?? SlugHelper.GenerateSlug(request.Name),
            Name = request.Name,
            Keys = [ CreateKey() ],
        };
        realm.Keys.Add(keyService.CreateKey(GetKeyPolicy(realm)));
        db.Add(realm);
        await db.SaveChangesAsync(ct);
@ -36,25 +44,26 @@ public class RealmService(
            realm.Id, realm.Slug, realm.Name);
    }
    /// <summary>
    /// Place holder for getting policies from the realm and falling back to sane defaults when no policies have been set.
    /// </summary>
    /// <param name="_"></param>
    /// <returns></returns>
    private KeyPolicy GetKeyPolicy(Realm _) => new RsaKeyPolicy();
    public async Task LoadActiveKeys(Realm realm)
    {
        await db.Entry(realm).Collection(r => r.Keys)
            .Query()
-            .Where(k => k.DeactivatedAt == null)
+            .Where(k => k.RevokedAt == null)
            .LoadAsync();
    }
-    private Key CreateKey()
+    public async Task LoadDeks(Realm realm)
    {
-        using RSA rsa = RSA.Create(2048);
+        await db.Entry(realm).Collection(r => r.Deks)
-
+            .Query()
-        Key key = new()
+            .LoadAsync();
        {
            Priority = 10,
        };
        key.SetPrivateKey(encryptionService, rsa.ExportPkcs8PrivateKey());
        return key;
    }
 }
--- a/IdentityShroud.TestUtils/Asserts/JsonObjectAssert.cs
+++ b/IdentityShroud.TestUtils/Asserts/JsonObjectAssert.cs
@ -1,6 +1,5 @@
 using System.Text.Json.Nodes;
 using System.Text.RegularExpressions;
 using Xunit;
 namespace IdentityShroud.TestUtils.Asserts;
--- a/IdentityShroud.TestUtils/Asserts/ResultAssert.cs
+++ b/IdentityShroud.TestUtils/Asserts/ResultAssert.cs
@ -1,5 +1,4 @@
 using FluentResults;
 using Xunit;
 namespace IdentityShroud.Core.Tests;
--- a/IdentityShroud.TestUtils/IdentityShroud.TestUtils.csproj
+++ b/IdentityShroud.TestUtils/IdentityShroud.TestUtils.csproj
@ -10,6 +10,7 @@
    <ItemGroup>
      <PackageReference Include="FluentResults" Version="4.0.0" />
      <PackageReference Include="xunit.v3.assert" Version="3.2.2" />
      <PackageReference Include="NSubstitute" Version="5.3.0" />
    </ItemGroup>
    <ItemGroup>
@ -21,10 +22,4 @@
        <Using Include="NSubstitute"/>
    </ItemGroup>
    <ItemGroup>
      <Reference Include="NSubstitute">
        <HintPath>..\..\..\.nuget\packages\nsubstitute\5.3.0\lib\net6.0\NSubstitute.dll</HintPath>
      </Reference>
    </ItemGroup>
 </Project>
--- a/IdentityShroud.TestUtils/Substitutes/EncryptionServiceSubstitute.cs
+++ b/IdentityShroud.TestUtils/Substitutes/EncryptionServiceSubstitute.cs
@ -1,18 +0,0 @@
 using IdentityShroud.Core.Contracts;
 namespace IdentityShroud.TestUtils.Substitutes;
 public static class EncryptionServiceSubstitute
 {
    public static IEncryptionService CreatePassthrough()
    {
        var encryptionService = Substitute.For<IEncryptionService>();
        encryptionService
            .Encrypt(Arg.Any<byte[]>())
            .Returns(x => x.ArgAt<byte[]>(0));
        encryptionService
            .Decrypt(Arg.Any<byte[]>())
            .Returns(x => x.ArgAt<byte[]>(0));
        return encryptionService;
    }
 }
--- a/IdentityShroud.TestUtils/Substitutes/NullDataEncryptionService.cs
+++ b/IdentityShroud.TestUtils/Substitutes/NullDataEncryptionService.cs
@ -0,0 +1,18 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.TestUtils.Substitutes;
 public class NullDataEncryptionService : IDataEncryptionService
 {
    public DekId KeyId { get; } = DekId.NewId(); 
    public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
    {
        return new(KeyId, plain.ToArray());
    }
    public byte[] Decrypt(EncryptedValue input)
    {
        return input.Value;
    }
 }
--- a/IdentityShroud.TestUtils/Substitutes/NullDekEncryptionService.cs
+++ b/IdentityShroud.TestUtils/Substitutes/NullDekEncryptionService.cs
@ -0,0 +1,18 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
 namespace IdentityShroud.TestUtils.Substitutes;
 public class NullDekEncryptionService : IDekEncryptionService
 {
    public KekId KeyId { get; } = KekId.NewId(); 
    public EncryptedDek Encrypt(ReadOnlySpan<byte> plain)
    {
        return new(KeyId, plain.ToArray());
    }
    public byte[] Decrypt(EncryptedDek input)
    {
        return input.Value;
    }
 }
--- a/IdentityShroud.sln.DotSettings.user
+++ b/IdentityShroud.sln.DotSettings.user
@ -2,32 +2,47 @@
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAesGcm_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F26fbd7ed219da834e9eaf78ad486d552132eb3c92bbfccff8c27249cdf5f6722_003FAesGcm_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAesGcm_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F2baadb96535b9acc4cb6c54e5379b87513f15ea119f8b153ed795a99ea3d340_003FAesGcm_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ACallInfo_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F402b2077f38742cb9b381ab9e79e493229c00_003F81_003F75c3679f_003FCallInfo_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AConfigurationSection_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F55e3307e9c416bdbce02cdd9eabe8ac72fe3b3d981f3b2220e31ff9c916653c_003FConfigurationSection_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ADebugger_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Ff9d2f95d72fa884d8b6ddefc717c56da3657fbb2d5fb683656c3589eb6587_003FDebugger_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ADeveloperExceptionPageMiddlewareImpl_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F2b5a64a615692cae2c8f378e99676581abe4bc355bb3844bfc6c6db3d576853_003FDeveloperExceptionPageMiddlewareImpl_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AECDsa_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fb69681dc22e362c8b157b358e58abc4b44cb12b573c82fa37c483ad8807c8f_003FECDsa_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AGeneratedRouteBuilderExtensions_002Eg_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F698a85dfa04f73158f8da37069798c22c467dfc_003FGeneratedRouteBuilderExtensions_002Eg_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AGeneratedRouteBuilderExtensions_002Eg_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F9f95c1d38311d5248a1d1324797b98c2e56789a_003FGeneratedRouteBuilderExtensions_002Eg_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AHealthCheckEndpointRouteBuilderExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6d0f079e13da4e98881aa3e6e169c6d34f08_003F0e_003Fc2b30661_003FHealthCheckEndpointRouteBuilderExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIAsyncDisposable_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F7d59f4f94af72f8d3797655412cdc64435acc6454985685e415ee5fe817f_003FIAsyncDisposable_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AKeySizes_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fe6cebf5d2d92b49eb99f568415b3cd457a252cacf81d426ca4f3e94ff429daf7_003FKeySizes_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AList_00601_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003Fd2753e160c1949ef9afa6a794019cfe8d908_003Fce_003Fba21ad0a_003FList_00601_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ANamingConventionsExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Feacd26cff49d864d97bf44d3424fd383a26620b1d0c43fb1d6f115da85c655_003FNamingConventionsExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AOkOfT_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fe2a19de442f561af862af2dcad0852b7e62707a5cf194d266d1656f92bbb6d2_003FOkOfT_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcdd0beaf7beaf8366c0862f34fe40da30911084d957625ab31577851ee8cae7_003FPostgreSqlBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlContainer_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc82112acf224de1d157da0309437b227be6c1ef877865c23872f49eaf9d73c_003FPostgreSqlContainer_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AReadOnlyMemory_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc19b2538fdfabf70658aed8979dd83e9ca11e27f5b3df68950e8ecb4d879e_003FReadOnlyMemory_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AResultsOfT_002EGenerated_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fff2e2c5ca93c7786ef8425ca6caf751702328924211687ce72e74fd1265e8_003FResultsOfT_002EGenerated_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ARouteGroupBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fd42b8f8feda3bfb3dc17f133a52ce45931ed5066c46a4d834c8ed46e0a6_003FRouteGroupBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AThrowHelper_002ESerialization_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F8433b9271c0f176fb5ceb7b1c3d62e1318fe8e62b4e5d7e882952dc543fec_003FThrowHelper_002ESerialization_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATypedResults_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcea118513a410f660e578fe32bed95cf86457dd135e4b4632ca91eb4f7b_003FTypedResults_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AWebEncoders_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fce6b69dd397f614758bc5821136ec8af3fa22563dd657769e231f51be1fbbc_003FWebEncoders_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/dotCover/Editor/HighlightingSourceSnapshotLocation/@EntryValue">/home/eelke/.cache/JetBrains/Rider2025.3/resharper-host/temp/Rider/vAny/CoverageData/_IdentityShroud.-1277985570/Snapshot/snapshot.utdcvr</s:String>
 	<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/DotNetCliExePath/@EntryValue">/home/eelke/.dotnet/dotnet</s:String>
 	<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/CustomBuildToolPath/@EntryValue">/home/eelke/.dotnet/sdk/10.0.102/MSBuild.dll</s:String>
-	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=6e5d049f_002D5af8_002D43d4_002D878d_002D591b09b1e74a/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" IsActive="True" Name="All tests from Solution #3" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
+	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=ead9ca22_002Dfc70_002D4ddf_002Db4c7_002D534498815537/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" IsActive="True" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
  &lt;Solution /&gt;
 &lt;/SessionState&gt;</s:String>
-	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=a4b5fea0_002D4511_002D4f66_002D888d_002Daea8a1e4c94d/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
+	
-  &lt;Solution /&gt;
+	
-&lt;/SessionState&gt;</s:String>
+	
-	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=b6b17914_002D7f7b_002D403e_002Db1eb_002D2c847c515018/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" Name="All tests from Solution #2" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
+	
-  &lt;Solution /&gt;
+	
-&lt;/SessionState&gt;</s:String>
+	
 	</wpf:ResourceDictionary>
--- a/README.md
+++ b/README.md
@ -0,0 +1,4 @@
 # IdentityShroud
 IdentityShroud is a .NET project for identity management and protection.
		`@ -0,0 +1,4 @@`
							`# IdentityShroud`

							`IdentityShroud is a .NET project for identity management and protection.`