Skip to content

Key Management

Manage tenant JWT signing keys.

List Keys

curl -X GET http://localhost:8000/api/sso/v1/tenants/TENANT_ID/keys \
  -H "Authorization: Bearer TOKEN"

Generate Key

curl -X POST http://localhost:8000/api/sso/v1/tenants/TENANT_ID/keys \
  -H "Authorization: Bearer TOKEN" \
  -d '{"algorithm": "EdDSA"}'

Rotate Keys

curl -X POST http://localhost:8000/api/sso/v1/tenants/TENANT_ID/keys/rotate \
  -H "Authorization: Bearer TOKEN"

Key Rotation Strategy

  1. Generate new key
  2. Both keys active (old tokens still valid)
  3. New tokens signed with new key
  4. After all tokens expire, deactivate old key

JWKS Endpoint

Public keys available at:

http://localhost:8000/.well-known/jwks.json