← Lessons

quiz vs the machine

Platinum1620

Security

Rotating Signing Keys With JWKS

Publishing and rolling token signing keys without breaking verification.

5 min read · advanced · beat Platinum to climb

Publishing The Keys

A JSON Web Key Set is a published list of the public keys a verifier uses to check token signatures. Each key carries a key id so a token header can point at the exact key that signed it, enabling smooth rotation.

How Rotation Works

  • The issuer generates a new signing key and publishes its public half in the key set alongside the old one.
  • New tokens are signed with the new key and tagged with its key id.
  • Verifiers fetch the set, cache it, and select the key matching the token's key id.
  • Once all old tokens expire, the retired key is removed.

Pitfalls

  • Caching the key set too long can reject valid new tokens, so honor sensible refresh windows.
  • Never accept a token whose key id is unknown.
  • Treat the private signing key as a top tier secret.

Key idea

A published key set with key ids lets issuers rotate signing keys gracefully, so overlap old and new keys and refresh verifier caches sensibly.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the key id in a token header enable?

2. Why publish both old and new keys during rotation?