Does a regular web app use the signing keys?


I have a web-app where I authenticate users with Auth0. This is the only activity in the tennant. I have set up the connection with and Application based on the “Regular Web Application” setup that provides a Client ID and a Client Secret for my web-app to authenticate. Now, I have received a notification to rotate my “signing key”. However, what does this mean for the setup? There is nowhere in the settings for the Applications where I can register the signing key. Is the signing key even in use in this setup? If it is: Where do I set the new signing key for the Application?

Kind regards,
Jørgen Koren Sivesind

Hi @Sivesind

Your ID token received after a successful login is signed by the signing key.
You usually get the verification key via a call to the JWKS endpoint: JSON Web Key Sets

This is usually handled by your SDK. So if you rotate the signing key, it should automatically update the verification key. Please test this in a dev tenant before trying in production.


1 Like

Thanks for helping on this one John!

Thanks, @john.gateley !

We do not have a test- or dev-instance of this web-app, so it is a little hard to test, and that is why I ask. :nerd_face:

We did rotate the key, but without revoking the old one. This did not cause the creation of a new Client ID or Client Secret. Are those what you refer to as verification, or is this handled internally in the “Regular Web Application” connection?

I will see if I can set up at test instance so we can try it out, but if not, it sounds like it is pretty safe to go ahead anyway.

Thanks again,

1 Like