# Rotate OIDC keys

**POST /api/configs/oidc/{keyType}/rotate**

A new key will be generated and prepend to the list of keys.

Only two recent keys will be kept. The oldest key will be automatically removed if there are more than two keys.


## Servers
- Logto endpoint address.: https://[tenant_id].logto.app (Logto endpoint address.)


## Authentication methods
- O auth2


## Parameters

#### Path parameters
- **keyType** (string)
  Private keys are used to sign OIDC JWTs. Cookie keys are used to sign OIDC cookies. For clients, they do not need to know private keys to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead.


## Body parameters
Content-type: application/json

- **signingKeyAlgorithm** (string)
  The signing key algorithm the new generated private key is using.

Only applicable when `keyType` is `private-keys`.

## Responses
### 200: An array of OIDC signing keys after rotation.

#### Body Parameters: application/json (array[object])
- **id** (string)
  
- **createdAt** (number)
  
- **signingKeyAlgorithm** (string)
  

### 400: Bad Request

### 401: Unauthorized

### 403: Forbidden

### 422: Unprocessable Content


[Powered by Bump.sh](https://bump.sh)