diff --git a/DigitalData.Core.Security/Config/CryptoFactoryParams.cs b/DigitalData.Core.Security/Config/CryptoFactoryParams.cs
index b64e8d3..2ca73fb 100644
--- a/DigitalData.Core.Security/Config/CryptoFactoryParams.cs
+++ b/DigitalData.Core.Security/Config/CryptoFactoryParams.cs
@@ -47,6 +47,13 @@ namespace DigitalData.Core.Security.Config
 
         public CryptoFactoryParams()
         {
+            // set defaults
+            if (VaultDecryptor is not null)
+                VaultDecryptor.Id = "vault";
+
+            foreach (var descriptor in TokenDescriptors)
+                descriptor.IdSeparator = FileNameSeparator;
+
             // init decryptors
             AfterCreate += () =>
             {
diff --git a/DigitalData.Core.Security/RSAKey/RSAKeyBase.cs b/DigitalData.Core.Security/RSAKey/RSAKeyBase.cs
index 97085a2..045b92e 100644
--- a/DigitalData.Core.Security/RSAKey/RSAKeyBase.cs
+++ b/DigitalData.Core.Security/RSAKey/RSAKeyBase.cs
@@ -1,22 +1,16 @@
 using DigitalData.Core.Abstractions.Security;
-using Microsoft.IdentityModel.Tokens;
 using System.Security.Cryptography;
 
 namespace DigitalData.Core.Security.RSAKey
 {
     public class RSAKeyBase : IAsymmetricKey
     {
-        public virtual string Content { get; init; }
-        
-        protected virtual RSA RSA { get; } = RSA.Create();
-
-        public string Id { get; init; }
-
 #pragma warning disable CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
-        internal RSAKeyBase()
-        {
-            
-        }
+        public virtual string Content { get; init; }
+
+        public virtual string Id { get; internal set; }
 #pragma warning restore CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+
+        protected virtual RSA RSA { get; } = RSA.Create();
     }
 }
\ No newline at end of file
diff --git a/DigitalData.Core.Security/RSAKey/RSATokenDescriptor.cs b/DigitalData.Core.Security/RSAKey/RSATokenDescriptor.cs
index b76c5f4..7fa5e75 100644
--- a/DigitalData.Core.Security/RSAKey/RSATokenDescriptor.cs
+++ b/DigitalData.Core.Security/RSAKey/RSATokenDescriptor.cs
@@ -8,13 +8,19 @@ namespace DigitalData.Core.Security.RSAKey
     /// </summary>
     public class RSATokenDescriptor : RSAPrivateKey, IAsymmetricTokenDescriptor
     {
+        internal string IdSeparator { get; set; } = "_-_";
+
+        private string? _id;
+
+        public override string Id { get => _id ?? $"{Issuer}{IdSeparator}{Audience}"; internal set => _id = value; }
+
         public string? ApiRoute { get; init; }
 
         #region SecurityTokenDescriptor Map
         /// <summary>
         /// Gets or sets the value of the 'audience' claim.
         /// </summary>
-        public string Audience { get; set; }
+        public required string Audience { get; set; }
 
         /// <summary>
         /// Defines the compression algorithm that will be used to compress the JWT token payload.
@@ -34,7 +40,7 @@ namespace DigitalData.Core.Security.RSAKey
         /// <summary>
         /// Gets or sets the issuer of this <see cref="SecurityTokenDescriptor"/>.
         /// </summary>
-        public string Issuer { get; set; }
+        public required string Issuer { get; set; }
 
         /// <summary>
         /// Gets or sets the time the security token was issued. This value should be in UTC.