Custom Signing Key

is it possible to use own Signing Key (certificate) to sign JWT tokens?


Hey there @banto, good question! To answer your question, no it is not possible to use your own key to sign JWT tokens - These are unique to each tenant and stored in a Key Management System (KMS). This is at its core a security precaution.

…but then I am more doubtful now :slight_smile: As I have seen a case where an Auth0 customer was using the metadata https://customer-domain/metadata/.well-known/jwks.json with its own certificate; i.e. the attribute “x5c”: was point to their certificate.

So either I miss something or it is possible to use custom certificate for signing keys. Can you please double check? thanks

I double checked internally and the consensus was that what you’ve described isn’t supported - I’d be curious to know if there is somewhere you can point to that shows where this has been implemented? I’m unable to find any documentation whatsoever :confused:

As an aside, it is possible to provide a custom cert for SAML connections:

I’ve clarified with customer and you are right. Their certificate was for another purpose indeed. Else they use Auth0 cert to verify the token issued by Auth0.

1 Like

Thanks for following up here :smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.