Feature: Support uploading customer-owned private keys (BYOK) into Auth0
Description: Requesting support to securely import and manage customer-owned private keys in Auth0 (Bring Your Own Key / BYOK), so Auth0 can sign tokens and/or decrypt encrypted artifacts using keys that originate from the customer, rather than requiring Auth0-generated keys or limiting customers to public key upload only.
Use-case: Today, we can upload public keys to Auth0 for verification/validation scenarios, but we cannot upload private keys that we own/control for signing or decryption operations. This creates a gap for organizations with strict key-ownership requirements (regulated environments, key-rotation policies, HSM/KMS governance, audits) where identity keys must be generated and controlled by the customer and then used by the identity provider.
Add a capability in Auth0 to import private keys (with strong protections) and associate them with the relevant Auth0 feature(s), for example:
- Signing keys for OIDC/JWT token issuance (RS256/ES256, etc.)
- Keys used for JWE decryption/encryption
- Tenant/application-level key sets with versioning and controlled rollout
Impact - This is a major constraint for us as we have a use-case that requires us to leverage keys that are signed using our existing key-sets, using Auth0 signed tokens could cause issues as our applications will not be able to verify the tokens, leading to disruptions to our customers.