Regular rotation of Signing keys

Are the signing keys provided by Auth0 hosted on https://your-domain.us.auth0.com static or gets rotated regularly? Is there a mechanism to make signing keys rotate automatically after a regular interval of time? I know that we can rotate them through the dashboard or from the API, but I am more concerned about the current behaviour of keys with respect to the regular rotation.

Hey @msriitd! Welcome to the community! :wave:

We do not rotate signing keys regularly or otherwise. You can do this manually from the Dashboard, as you mentioned, or using Management API:

(some more info on managing signing keys)

1 Like

Thanks @art.rosnovsky, One more thing, if there is no regular rotation of signing keys then why there is max-age=15 directive in the Cache_Control header in the response from the jwk_url?
I am trying to automate the process of refreshing keys by parsing the max-age directive and it gives a wrong interpretation in case of Auth0.
Can someone tell me what does that mean?

Any update on this? @art.rosnovsky @team

My apologies for the delay, got real busy out here.

My understanding is that this max-age value addresses key rotation. Since you could rotate keys at any moment, it’s important to set short cache max age to make sure apps have new keys as soon as they are rotated.

What exactly are you using max-age for in your automation scenario?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.