Rotate Credentials

Auth0 recommends you rotate key material regularly to meet your compliance needs and ensure security is not compromised by leaked private keys. You can use the Auth0 Dashboard or Management API to rotate new keys into use. You need to create a new credential, associate it with the private_key_jwt authentication method, and remove old or unused credentials.

To rotate your application credentials with Auth0 Dashboard:

  1. Navigate to Auth0 Dashboard > Applications > Application and select the application you want to update.

  2. Switch to the Credentials tab.

  3. In the Available Credentials section, select Add New Key.

    Auth0 Dashboard - Applications - Settings - Credentials tab

  4. Set a name for your new credential, the public key in PEM format, and the algorithm for the new credential.

  5. Select Add Credential.

  6. To activate your new credential, navigate to the menu for the credential and choose Enable for Private Key JWT use.

    Auth0 Dashboard - Applications - Application Settings - Credential tab - enable or delete credential

  7. Once you have updated your applications to use the new credential, deactivate your original credential:

    1. Select Disable for Private Key JWT Use.

    2. Once disabled, return to the credential menu and select Delete Credential.

      Auth0 Dashboard - Applications - Application Settings - Credential tab - disable credential

Active credentials

To assure zero downtime, you can leave multiple credentials active during rotation. Applications can function normally using older keys until keys are updated. Applications can send signed assertions with any set of active credentials.

Auth0 recommends you minimize the time that multiple credentials are in use. The example below uses multiple associated credentials:

curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
          "client_authentication_methods": {
             "private_key_jwt": {
                "credentials": [{ "id": $credential1.id }, { "id": $credential2.id }]
             }
          }
 }'

Was this helpful?

/

Learn more