You can manually rotate a signing key periodically to change the JSON web key (JWK) key used by applications and APIs to validate tokens. If your application or API does not allow for this key change, and it attempts to use an expired signing key to verify a token, the authentication request will fail.
Auth0 recommends that you execute signing key rotation on a development tenant first, then verify that your applications and APIs still work as expected. After you verify that everything is working properly, perform the same signing key rotation on your production tenant.
Although Auth0 signs with only one signing key at a time, your tenant’s Connect (OIDC) discovery document always contains multiple keys. The OIDC discovery document will always include both the current key and the next key, and it may also include the previous key if the previous key has not yet been revoked. To provide a seamless experience in case of an emergency, your application should be able to use any of the keys specified in the document. To learn more about OpenID Connect discovery documents, read Locate JSON Web Key Sets.
To allow you time to update your application with the new signing key, all tokens signed with the previous key will still be valid until you revoke the previous key. To learn more, read Revoke Signing Keys.
You can rotate your tenant’s application signing key using the or the Auth0 .

Use the Dashboard

  1. Go to Dashboard > Settings > Signing Keys.
    Dashboard Tenant Settings Signing Keys tab
  2. Under Rotation Settings, locate Rotate Signing Key, and select Rotate Key.
  3. Click Rotate to confirm.
    Dashboard Settings Signing Keys Tab Rotate Confirm

Use the Management API

  1. To get a list of the signing keys, make a GET call to the Get all Application Signing Keys endpoint.
  2. To rotate the signing key, make a POST call to the Rotate the Application Signing Key endpoint. Be sure to replace the MGMT_API_ACCESS_TOKEN placeholder value with your Management API access token. 
    curl --request POST \
   --url 'https://{yourDomain}/api/v2/keys/signing/rotate' \
   --header 'authorization: Bearer {yourMgmtApiAccessToken}'
ValueDescription
MGMT_API_ACCESS_TOKENAccess Token for the Management API with the scopes create:signing_keys and update:signing_keys.

Key rotation impact

APIs and API gateways accepting access tokens

Most middleware and API gateways leverage the JSON web key set (JWKS) endpoint to retrieve the current and future signing keys at a certain interval. If your middleware and/or API gateways do not support this endpoint and require you to manually configure a *.cer file, you will need to coordinate the signing key rotation in Auth0 with the reconfiguration of your middleware and gateways.

Regular web applications

When rotating the signing key in Auth0, you will need to coordinate the reconfiguration of your applications which leverage or . This typically happens when you upload the new public certificate or reconfigure the application by entering the WS-Fed/SAML metadata URL. This will change the JWKS key, which is used by applications to validate tokens, make sure your implementation does not assume JWKS keys don’t change.

Learn more