Rotate Signing Keys

You can rotate a signing key periodically to update the JSON Web Key (JWK) used by applications and APIs to validate tokens. If an application or API attempts to use an expired signing key to verify a token, the authentication request will fail.

Login 3.0 recommends performing signing key rotation on a development tenant first. Verify that your applications and APIs continue to function as expected before applying the same rotation on your production tenant.

Login 3.0 uses one active signing key at a time. However, your tenant's OpenID Connect (OIDC) discovery document will include multiple keys: the current key, the next key (if pre-configured), and possibly the previous key (if it hasn’t been revoked yet). This setup ensures a seamless experience in case of emergencies. Applications should be able to use any key listed in the document. To learn more about OpenID Connect discovery documents, refer to Locate JSON Web Key Sets.

To provide adequate time for application updates, tokens signed with the previous key will remain valid until you explicitly revoke the key. For more details, see Revoke Signing Keys.

You can rotate your tenant's signing key using the Login 3.0 Management API, as Login 3.0 does not include a dashboard for self-service.

---

Key Rotation Impact

APIs and API Gateways Accepting Access Tokens

Most middleware and API gateways use the JSON Web Key Set (JWKS) endpoint to retrieve current and future signing keys at regular intervals. If your middleware or gateways require manual configuration (e.g., via a .cer file), ensure key rotation in Login 3.0 is coordinated with these reconfigurations.