With RS256, if the private key is rotated, can old pubic key validate the JWT signature?

I am fresh man, and reviewing docs step by step.
Signing Algorithms

Hey @anlexN welcome to the community!

When the private key is rotated, only the linked public keys will work to validate any subsequently minted tokens. To answer your question, no a pre-existing public key cannot validate any JWT created using the new private key. The statement you’ve pointed out is true because SDKs using RS256 to validate tokens will have access to your tenants /.well-known/jwks.json endpoint with the updated public keys.

For example, jwksUri OR issuerBaseURL in express-oauth2-jwt-bearer.

Hope this helps to clarify!

thank you very much, teacher! can you also answer my another question?

No problem, happy to help!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.