You can view your tenant’s application and signing keys using the or the . The application signing key is used to sign , , assertions, and assertions sent to your application. These keys are different from those used to sign interactions with connections, including signing SAML requests to (IdPs) and encrypting responses from IdPs. By default, SAML assertions for IdP connections are signed, which we recommend. To learn more, read SAML Identity Provider Configuration Settings.

Use the Dashboard

Tenant settings

  1. Go to Dashboard > Settings > Signing Keys.
    Dashboard Tenant Settings Signing Keys tab
  2. In the Rotation Settings section, locate List of Valid Keys and List of Revoked Keys.
    1. The List of Valid Keys section lists the current signing key being used by your tenant, plus the next signing key that will be assigned should you choose to rotate your signing keys. If you have previously rotated signing keys, this section also lists the previously-used keys.
    2. The List of Revoked Keys section lists the last three revoked keys for your tenant.

Application settings

You can also view an application’s signing key and/or client secret depending on the type of you are using.

If using the RS256 signing algorithm

  1. Go to Dashboard > Applications, and select the name of the application to view.
  2. Scroll to the bottom of the Settings tab, and select Advanced Settings.
  3. Go to the Certificates tab and locate the Signing Certificate field.
    Dashboard Applications Advanced Settings Certificates tab

If using the HS256 signing algorithm

  1. Go to Dashboard > Applications, and select the name of the application to view.
  2. Under Basic Information, locate the Client Secret field for the client secret.
    Dashboard Applications Application Settings Tab Basic Information

Use the Management API

Get all signing keys

Make a GET call to the /signing_keys/get_signing_keys endpoint. Be sure to replace the {yourMgmtApiAccessToken} placeholder value with your Management API Access Token. 
curl --request GET \
   --url 'https://{yourDomain}/api/v2/keys/signing' \
   --header 'authorization: Bearer {yourMgmtApiAccessToken}'
ValueDescription
MGMT_API_ACCESS_TOKENAccess Token for the Management API with the scope read:signing_keys.

Get a single signing key

Make a GET call to the /signing_keys/get_signing_key endpoint. Be sure to replace the {yourKeyId} and {yourMgmtApiAccessToken} placeholder values with your signing key’s ID and Management API Access Token, respectively. 
curl --request GET \
   --url 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D' \
   --header 'authorization: Bearer {yourMgmtApiAccessToken}'
ValueDescription
YOUR_KEY_IDID of the signing key to be viewed. To learn how to find your signing key ID, see Locate JSON Web Key Sets.
MGMT_API_ACCESS_TOKENAccess Token for the Management API with the scope read:signing_keys.

Learn more