From dad3450866b2eeba791009ecdb402b35f2a9ac5a Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Tue, 9 Feb 2021 16:42:21 -0500
Subject: [PATCH 01/14] [added] description of nats based account resolver

Signed-off-by: Matthias Hanel <mh@synadia.com>
---
 .../securing_nats/jwt/resolver.md             | 72 ++++++++++++++++++-
 1 file changed, 69 insertions(+), 3 deletions(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index f733a34..f8b5c6a 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -1,9 +1,10 @@
 # Account lookup using Resolver
 
-The `resolver` configuration option is used in conjunction with [NATS JWT Authentication](./) and [nsc](../../../../nats-tools/nsc/). The `resolver` option specifies a URL where the nats-server can retrieve an account JWT. There are two built-in resolver implementations:
+The `resolver` configuration option is used in conjunction with [NATS JWT Authentication](./) and [nsc](../../../../nats-tools/nsc/). The `resolver` option specifies a URL where the nats-server can retrieve an account JWT. There are three built-in resolver implementations:
 
-* `URL`
-* `MEMORY`
+* [`URL`](resolver.md#URL-Resolver)
+* [`MEMORY`](resolver.md#Memory)
+* [nats based resolver](resolver.md#nats-based-resolver)
 
 > If the operator JWT specified in `operator` contains an account resolver URL, `resolver` only needs to be specified in order to overwrite that default.
 
@@ -34,3 +35,68 @@ The `MEMORY` resolver is recommended when the server has a small number of accou
 
 For more information on how to configure a memory resolver, see [this tutorial](mem_resolver.md).
 
+## nats based resolver
+
+Nats based resolver embed the functionality of the [account server](https://github.com/nats-io/nats-account-server) inside the nats-server.
+To not have to store all account jwt on every server, this resolver has two sub types `full` and `cache`.
+Their commonalities are that they exchange/lookup account jwt via nats and the system account and store them in a local (not shared) directory.
+
+### full
+
+This resolver stores all jwt and exchanges them in an eventually consistent way with other resolver of the same type.
+[`nsc`](../../../../nats-tools/nsc/README.md) supports push/pull/purge with this resolver type. 
+Jwt, uploaded this way, are stored in a directory the server has exclusive access to. 
+
+```yaml
+resolver: {
+    type: full
+    # Directory in which account jwt will be stored
+    dir: './jwt'
+    # In order to support jwt deletion, set to true
+    # If the resolver type is full delete will rename the jwt.
+    # This is to allow manual restoration in case of inadvertent deletion.
+    # To restore a jwt, remove the added suffix .delete and restart or send a reload signal.
+    # To free up storage you must manually delete files with the suffix .delete.
+    allow_delete: false
+    # Interval at which a nats-server with a nats based account resolver will compare
+    # it's state with one random nats based account resolver in the cluster and if needed,
+    # exchange jwt and converge on the same set of jwt.
+    interval: "2m"
+    # limit on the number of jwt stored, will reject new jwt once limit is hit.
+    limit: 1000
+}
+```
+
+This resolver type also supports `resolver_preload`. When present jwt listed are stored in the resolver.
+There, they may be subject to updates. Restarts of the `nats-server` will hold on to these more recent versions.
+
+Not every server in a cluster needs to be set to `full`.
+You need enough to still serve your workload adequately, while some server are offline.
+
+### cache
+
+This resolver only stores a subset of jwt and evicts extra ones based on an LRU scheme. 
+Missing jwt are downloaded from `full` nats based resolver. 
+This resolver is essentially the URL Resolver in nats.
+
+```yaml
+resolver: {
+    type: cache
+    # Directory in which account jwt will be store
+    dir: "./"
+    # limit on the number of jwt stored, will evict old jwt once limit is hit.
+    limit: 1000
+    # How long to hold on to a jwt before discarding it. 
+    ttl: "2m"
+}
+```
+
+### nats based resolver - integration
+
+nats based resolver utilize the system account for lookup and upload of account jwt.
+If your application requires tighter integration you can make use of these subjects for tighter integration.
+
+To upload or update a possibly on the fly generated account jwt without `nsc`, send it as request to `$SYS.REQ.CLAIMS.UPDATE`.
+Each participating `full` nats based account resolver will respond with a message detailing success or failure.
+
+To serve a requested account jwt yourself, subscribe to `$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP` and respond with the account jwt corresponding to the requested account id (wildcard).

From 354355f85bc19d7afdcadfe32102288c84f7cf5b Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Tue, 9 Feb 2021 17:08:18 -0500
Subject: [PATCH 02/14] mention nats based resolver in nats account server

Signed-off-by: Matthias Hanel <mh@synadia.com>
---
 .../configuration/securing_nats/jwt/resolver.md       | 10 +++++-----
 nats-tools/nas/README.md                              | 11 +++++++----
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index f8b5c6a..4626609 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -45,7 +45,7 @@ Their commonalities are that they exchange/lookup account jwt via nats and the s
 
 This resolver stores all jwt and exchanges them in an eventually consistent way with other resolver of the same type.
 [`nsc`](../../../../nats-tools/nsc/README.md) supports push/pull/purge with this resolver type. 
-Jwt, uploaded this way, are stored in a directory the server has exclusive access to. 
+[JWTs](../../nats-server/configuration/securing_nats/jwt/), uploaded this way, are stored in a directory the server has exclusive access to. 
 
 ```yaml
 resolver: {
@@ -75,7 +75,7 @@ You need enough to still serve your workload adequately, while some server are o
 
 ### cache
 
-This resolver only stores a subset of jwt and evicts extra ones based on an LRU scheme. 
+This resolver only stores a subset of [JWT](../../nats-server/configuration/securing_nats/jwt/) and evicts extra ones based on an LRU scheme. 
 Missing jwt are downloaded from `full` nats based resolver. 
 This resolver is essentially the URL Resolver in nats.
 
@@ -93,10 +93,10 @@ resolver: {
 
 ### nats based resolver - integration
 
-nats based resolver utilize the system account for lookup and upload of account jwt.
+nats based resolver utilize the system account for lookup and upload of account [JWTs](../../nats-server/configuration/securing_nats/jwt/) .
 If your application requires tighter integration you can make use of these subjects for tighter integration.
 
-To upload or update a possibly on the fly generated account jwt without `nsc`, send it as request to `$SYS.REQ.CLAIMS.UPDATE`.
+To upload or update a possibly on the fly generated account jwt without [`nsc`](../../../../nats-tools/nsc/README.md), send it as request to `$SYS.REQ.CLAIMS.UPDATE`.
 Each participating `full` nats based account resolver will respond with a message detailing success or failure.
 
-To serve a requested account jwt yourself, subscribe to `$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP` and respond with the account jwt corresponding to the requested account id (wildcard).
+To serve a requested account [JWT](../../nats-server/configuration/securing_nats/jwt/) yourself and essentially implement an account server, subscribe to `$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP` and respond with the account jwt corresponding to the requested account id (wildcard).
diff --git a/nats-tools/nas/README.md b/nats-tools/nas/README.md
index 9ad7f48..97d3813 100644
--- a/nats-tools/nas/README.md
+++ b/nats-tools/nas/README.md
@@ -1,11 +1,14 @@
 # nats-account-server
 
-The [NATS Account Server](https://github.com/nats-io/nats-account-server) is an HTTP server that hosts and vends [JWTs](../../nats-server/configuration/securing_nats/jwt/) for nats-server 2.0 account authentication. The server supports an number of stores which enable it to serve account [JWTs](../../nats-server/configuration/securing_nats/jwt/) from:
-
-* a [directory](nas_conf.md#directory-configuration)
-* an [NSC](../nsc/nsc.md) [directory](nas_conf.md#nsc-configuration)
+The [NATS Account Server](https://github.com/nats-io/nats-account-server) is an HTTP server that hosts and vends [JWTs](../../nats-server/configuration/securing_nats/jwt/) for nats-server 2.0 account authentication. The server supports an number of stores which enable it to serve account [JWTs](../../nats-server/configuration/securing_nats/jwt/) from a [directory](nas_conf.md#directory-configuration)
 
 > The nats server can be configured with a [memory resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#memory) as well. This avoids usage of the account server.
+> The nats server can be configured with a [nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) for the same purpose as well.
+> 
+> Usage of [full nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) over [NATS Account Server](https://github.com/nats-io/nats-account-server) is recommended.
+> 
+> The [NATS Account Server](https://github.com/nats-io/nats-account-server) also speaks the [full nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) protocol and
+> can be used as such.
 
 The server can operate in a _READ ONLY_ mode where it serves content from a directory, or in [notification mode](notifications.md), where it can notify a NATS server that a JWT in the store has been modified, updating the NATS server with the updated JWT.
 

From b7aecc69769157c79547a3d632c73991249a6fce Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 13:34:54 -0500
Subject: [PATCH 03/14] Capitalize NATS

Signed-off-by: Matthias Hanel <mh@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index 4626609..80cd0f5 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -4,7 +4,7 @@ The `resolver` configuration option is used in conjunction with [NATS JWT Authen
 
 * [`URL`](resolver.md#URL-Resolver)
 * [`MEMORY`](resolver.md#Memory)
-* [nats based resolver](resolver.md#nats-based-resolver)
+* [NATS Based Resolver](resolver.md#nats-based-resolver)
 
 > If the operator JWT specified in `operator` contains an account resolver URL, `resolver` only needs to be specified in order to overwrite that default.
 
@@ -35,11 +35,11 @@ The `MEMORY` resolver is recommended when the server has a small number of accou
 
 For more information on how to configure a memory resolver, see [this tutorial](mem_resolver.md).
 
-## nats based resolver
+## NATS Based Resolver
 
-Nats based resolver embed the functionality of the [account server](https://github.com/nats-io/nats-account-server) inside the nats-server.
+NATS based resolver embed the functionality of the [account server](https://github.com/nats-io/nats-account-server) inside the nats-server.
 To not have to store all account jwt on every server, this resolver has two sub types `full` and `cache`.
-Their commonalities are that they exchange/lookup account jwt via nats and the system account and store them in a local (not shared) directory.
+Their commonalities are that they exchange/lookup account jwt via NATS and the system account and store them in a local (not shared) directory.
 
 ### full
 

From 9edf22f7b8b0aebd1c085c8992affce3b6f21219 Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:48:45 -0500
Subject: [PATCH 04/14] Update
 nats-server/configuration/securing_nats/jwt/resolver.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index 80cd0f5..f145800 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -41,7 +41,7 @@ NATS based resolver embed the functionality of the [account server](https://gith
 To not have to store all account jwt on every server, this resolver has two sub types `full` and `cache`.
 Their commonalities are that they exchange/lookup account jwt via NATS and the system account and store them in a local (not shared) directory.
 
-### full
+### Full
 
 This resolver stores all jwt and exchanges them in an eventually consistent way with other resolver of the same type.
 [`nsc`](../../../../nats-tools/nsc/README.md) supports push/pull/purge with this resolver type. 

From 81f67989f613ae6f789ee7de3aa37fba69c3a7cc Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:49:10 -0500
Subject: [PATCH 05/14] Update
 nats-server/configuration/securing_nats/jwt/resolver.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index f145800..15eb685 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -67,7 +67,7 @@ resolver: {
 }
 ```
 
-This resolver type also supports `resolver_preload`. When present jwt listed are stored in the resolver.
+This resolver type also supports `resolver_preload`. When present, JWTs are listed are stored in the resolver.
 There, they may be subject to updates. Restarts of the `nats-server` will hold on to these more recent versions.
 
 Not every server in a cluster needs to be set to `full`.

From 65eb601578dfb386cee21c0d4d103a5862625572 Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:49:17 -0500
Subject: [PATCH 06/14] Update
 nats-server/configuration/securing_nats/jwt/resolver.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index 15eb685..054b9fe 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -73,7 +73,7 @@ There, they may be subject to updates. Restarts of the `nats-server` will hold o
 Not every server in a cluster needs to be set to `full`.
 You need enough to still serve your workload adequately, while some server are offline.
 
-### cache
+### Cache
 
 This resolver only stores a subset of [JWT](../../nats-server/configuration/securing_nats/jwt/) and evicts extra ones based on an LRU scheme. 
 Missing jwt are downloaded from `full` nats based resolver. 

From 897fbe1c3b6900151e39750f5977a7d685e62cdf Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:49:26 -0500
Subject: [PATCH 07/14] Update
 nats-server/configuration/securing_nats/jwt/resolver.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index 054b9fe..78d614e 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -91,7 +91,7 @@ resolver: {
 }
 ```
 
-### nats based resolver - integration
+### NATS Based Resolver - Integration
 
 nats based resolver utilize the system account for lookup and upload of account [JWTs](../../nats-server/configuration/securing_nats/jwt/) .
 If your application requires tighter integration you can make use of these subjects for tighter integration.

From 03fc69af676cb56542710978500d575473e47385 Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:49:36 -0500
Subject: [PATCH 08/14] Update
 nats-server/configuration/securing_nats/jwt/resolver.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index 78d614e..4375211 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -93,7 +93,7 @@ resolver: {
 
 ### NATS Based Resolver - Integration
 
-nats based resolver utilize the system account for lookup and upload of account [JWTs](../../nats-server/configuration/securing_nats/jwt/) .
+The NATS based resolver utilizes the system account for lookup and upload of account [JWTs](../../nats-server/configuration/securing_nats/jwt/) .
 If your application requires tighter integration you can make use of these subjects for tighter integration.
 
 To upload or update a possibly on the fly generated account jwt without [`nsc`](../../../../nats-tools/nsc/README.md), send it as request to `$SYS.REQ.CLAIMS.UPDATE`.

From 1fb41bd6d9d3fdcc4d483f4b3597ac1a7f96c06a Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:49:53 -0500
Subject: [PATCH 09/14] Update
 nats-server/configuration/securing_nats/jwt/resolver.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index 4375211..cfc0958 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -96,7 +96,7 @@ resolver: {
 The NATS based resolver utilizes the system account for lookup and upload of account [JWTs](../../nats-server/configuration/securing_nats/jwt/) .
 If your application requires tighter integration you can make use of these subjects for tighter integration.
 
-To upload or update a possibly on the fly generated account jwt without [`nsc`](../../../../nats-tools/nsc/README.md), send it as request to `$SYS.REQ.CLAIMS.UPDATE`.
+To upload or update any generated account jwt without [`nsc`](../../../../nats-tools/nsc/README.md), send it as request to `$SYS.REQ.CLAIMS.UPDATE`.
 Each participating `full` nats based account resolver will respond with a message detailing success or failure.
 
 To serve a requested account [JWT](../../nats-server/configuration/securing_nats/jwt/) yourself and essentially implement an account server, subscribe to `$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP` and respond with the account jwt corresponding to the requested account id (wildcard).

From 300cd6511460d4504a5052381c4a60385f6127af Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:49:59 -0500
Subject: [PATCH 10/14] Update nats-tools/nas/README.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-tools/nas/README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/nats-tools/nas/README.md b/nats-tools/nas/README.md
index 97d3813..88767f1 100644
--- a/nats-tools/nas/README.md
+++ b/nats-tools/nas/README.md
@@ -3,7 +3,7 @@
 The [NATS Account Server](https://github.com/nats-io/nats-account-server) is an HTTP server that hosts and vends [JWTs](../../nats-server/configuration/securing_nats/jwt/) for nats-server 2.0 account authentication. The server supports an number of stores which enable it to serve account [JWTs](../../nats-server/configuration/securing_nats/jwt/) from a [directory](nas_conf.md#directory-configuration)
 
 > The nats server can be configured with a [memory resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#memory) as well. This avoids usage of the account server.
-> The nats server can be configured with a [nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) for the same purpose as well.
+> The NATS server can be configured with a [NATS based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) for the same purpose as well.
 > 
 > Usage of [full nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) over [NATS Account Server](https://github.com/nats-io/nats-account-server) is recommended.
 > 
@@ -17,4 +17,3 @@ The server supports replica mode, which allows load balancing, fault tolerance a
 The account server can host activation tokens as well as account JWTs. These tokens are used when one account needs to give permission to another account to access a private export. Tokens can be configured as full tokens, or URLs. By hosting them in the account server you can avoid the copy/paste process of embedding tokens. They can also be updated more easily on expiration. The account serer furthermore allows for jwt inspection.
 
 All account server configuration options can be found [here](nas_conf.md#configuration-file). It futhermore allows [inspection](inspecting_jwts.md) of JWT.
-

From c60a0bb5357199771b1fafe9dcc77468e7d6151a Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:50:12 -0500
Subject: [PATCH 11/14] Update nats-tools/nas/README.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-tools/nas/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-tools/nas/README.md b/nats-tools/nas/README.md
index 88767f1..3cac2be 100644
--- a/nats-tools/nas/README.md
+++ b/nats-tools/nas/README.md
@@ -5,7 +5,7 @@ The [NATS Account Server](https://github.com/nats-io/nats-account-server) is an
 > The nats server can be configured with a [memory resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#memory) as well. This avoids usage of the account server.
 > The NATS server can be configured with a [NATS based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) for the same purpose as well.
 > 
-> Usage of [full nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) over [NATS Account Server](https://github.com/nats-io/nats-account-server) is recommended.
+> Usage of [full NATS based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) over [NATS Account Server](https://github.com/nats-io/nats-account-server) is recommended.
 > 
 > The [NATS Account Server](https://github.com/nats-io/nats-account-server) also speaks the [full nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) protocol and
 > can be used as such.

From e3da8cfe6a7b2398a9b69c2a7bc7588377ed41d8 Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:50:22 -0500
Subject: [PATCH 12/14] Update
 nats-server/configuration/securing_nats/jwt/resolver.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index cfc0958..eee71dc 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -75,7 +75,7 @@ You need enough to still serve your workload adequately, while some server are o
 
 ### Cache
 
-This resolver only stores a subset of [JWT](../../nats-server/configuration/securing_nats/jwt/) and evicts extra ones based on an LRU scheme. 
+This resolver only stores a subset of [JWT](../../nats-server/configuration/securing_nats/jwt/) and evicts others based on an LRU scheme. 
 Missing jwt are downloaded from `full` nats based resolver. 
 This resolver is essentially the URL Resolver in nats.
 

From ab5b1a4565d932554cb960e1c4b19d224fb88c87 Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Wed, 10 Feb 2021 15:50:31 -0500
Subject: [PATCH 13/14] Update
 nats-server/configuration/securing_nats/jwt/resolver.md

Co-authored-by: Colin Sullivan <colin@synadia.com>
---
 nats-server/configuration/securing_nats/jwt/resolver.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index eee71dc..fe9bee8 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -1,4 +1,4 @@
-# Account lookup using Resolver
+# Account Lookup Using a Resolver
 
 The `resolver` configuration option is used in conjunction with [NATS JWT Authentication](./) and [nsc](../../../../nats-tools/nsc/). The `resolver` option specifies a URL where the nats-server can retrieve an account JWT. There are three built-in resolver implementations:
 

From 5c1827430ae522015e22bf5d8d75715009a04d14 Mon Sep 17 00:00:00 2001
From: Ginger Collison <ginger@synadia.com>
Date: Wed, 24 Feb 2021 11:50:34 -0600
Subject: [PATCH 14/14] Syntax/grammar review updates

---
 .../securing_nats/jwt/resolver.md             | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/nats-server/configuration/securing_nats/jwt/resolver.md b/nats-server/configuration/securing_nats/jwt/resolver.md
index fe9bee8..3a52ef9 100644
--- a/nats-server/configuration/securing_nats/jwt/resolver.md
+++ b/nats-server/configuration/securing_nats/jwt/resolver.md
@@ -37,13 +37,13 @@ For more information on how to configure a memory resolver, see [this tutorial](
 
 ## NATS Based Resolver
 
-NATS based resolver embed the functionality of the [account server](https://github.com/nats-io/nats-account-server) inside the nats-server.
-To not have to store all account jwt on every server, this resolver has two sub types `full` and `cache`.
-Their commonalities are that they exchange/lookup account jwt via NATS and the system account and store them in a local (not shared) directory.
+The NATS based resolver embeds the functionality of the [account server](https://github.com/nats-io/nats-account-server) inside the nats-server.
+In order to avoid having to store all account JWT on every server, this resolver has two sub types `full` and `cache`.
+Their commonalities are that they exchange/lookup account JWT via NATS and the system account, and store them in a local (not shared) directory.
 
 ### Full
 
-This resolver stores all jwt and exchanges them in an eventually consistent way with other resolver of the same type.
+The Full resolver stores all JWTs and exchanges them in an eventually consistent way with other resolvers of the same type.
 [`nsc`](../../../../nats-tools/nsc/README.md) supports push/pull/purge with this resolver type. 
 [JWTs](../../nats-server/configuration/securing_nats/jwt/), uploaded this way, are stored in a directory the server has exclusive access to. 
 
@@ -67,17 +67,17 @@ resolver: {
 }
 ```
 
-This resolver type also supports `resolver_preload`. When present, JWTs are listed are stored in the resolver.
+This resolver type also supports `resolver_preload`. When present, JWTs are listed and stored in the resolver.
 There, they may be subject to updates. Restarts of the `nats-server` will hold on to these more recent versions.
 
 Not every server in a cluster needs to be set to `full`.
-You need enough to still serve your workload adequately, while some server are offline.
+You need enough to still serve your workload adequately, while some servers are offline.
 
 ### Cache
 
-This resolver only stores a subset of [JWT](../../nats-server/configuration/securing_nats/jwt/) and evicts others based on an LRU scheme. 
-Missing jwt are downloaded from `full` nats based resolver. 
-This resolver is essentially the URL Resolver in nats.
+The Cache resolver only stores a subset of [JWT](../../nats-server/configuration/securing_nats/jwt/) and evicts others based on an LRU scheme. 
+Missing JWTs are downloaded from `full` nats based resolver. 
+This resolver is essentially the URL Resolver in NATS.
 
 ```yaml
 resolver: {
@@ -96,7 +96,7 @@ resolver: {
 The NATS based resolver utilizes the system account for lookup and upload of account [JWTs](../../nats-server/configuration/securing_nats/jwt/) .
 If your application requires tighter integration you can make use of these subjects for tighter integration.
 
-To upload or update any generated account jwt without [`nsc`](../../../../nats-tools/nsc/README.md), send it as request to `$SYS.REQ.CLAIMS.UPDATE`.
-Each participating `full` nats based account resolver will respond with a message detailing success or failure.
+To upload or update any generated account JWT without [`nsc`](../../../../nats-tools/nsc/README.md), send it as a request to `$SYS.REQ.CLAIMS.UPDATE`.
+Each participating `full` NATS based account resolver will respond with a message detailing success or failure.
 
-To serve a requested account [JWT](../../nats-server/configuration/securing_nats/jwt/) yourself and essentially implement an account server, subscribe to `$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP` and respond with the account jwt corresponding to the requested account id (wildcard).
+To serve a requested account [JWT](../../nats-server/configuration/securing_nats/jwt/) yourself and essentially implement an account server, subscribe to `$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP` and respond with the account JWT corresponding to the requested account id (wildcard).