Rotate OIDC keys

POST /api/configs/oidc/{keyType}/rotate

OAuth2

A new key will be generated and prepend to the list of keys.

Only two recent keys will be kept. The oldest key will be automatically removed if there are more than two keys.

Path parameters

keyType string Required

Private keys are used to sign OIDC JWTs. Cookie keys are used to sign OIDC cookies. For clients, they do not need to know private keys to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead.

Values are private-keys or cookie-keys.

application/json

Body Required

signingKeyAlgorithm string

The signing key algorithm the new generated private key is using.

Only applicable when keyType is private-keys.

Values are RSA or EC.

Responses

200 application/json

An array of OIDC signing keys after rotation.
Hide response attributes Show response attributes object
- id string Required
- createdAt number Required
- signingKeyAlgorithm string
  
  Values are RSA or EC.
400

Bad Request
401

Unauthorized
403

Forbidden
422

Unprocessable Content

POST /api/configs/oidc/{keyType}/rotate

curl \
 -X POST https://[tenant_id].logto.app/api/configs/oidc/{keyType}/rotate \
 -H "Authorization: Bearer $ACCESS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"signingKeyAlgorithm":"RSA"}'

Request examples

{
  "signingKeyAlgorithm": "RSA"
}

Response examples (200)

[
  {
    "id": "string",
    "createdAt": 42.0,
    "signingKeyAlgorithm": "RSA"
  }
]