Revoke Signing Keys
You can revoke your tenant's application or API signing key using the Auth0 Dashboard or the Management API. The signing key is used to sign ID tokens, access tokens, SAML assertions, and WS-Fed assertions sent to your application or API. To learn more, read Signing Keys.
Prerequisites
Before you can revoke a previously-used signing key, you must first have rotated the key. To learn more, read Rotate Signing Keys, or see the Rotate and revoke signing key section below.
Make sure you have updated your application or API with the new key before you revoke the previous key.
You cannot reuse a signing key after revocation, so be sure that you want to revoke it.
Use the Dashboard
Revoke previously used signing key
In the List of Valid Keys section, locate the Previously Used key, select the more options (...) menu, and select Revoke Key. The List of Valid Keys section lists the current signing key being used by your tenant, plus the next signing key that will be assigned should you choose to rotate your signing keys. If you have previously rotated signing keys, this section also lists the previously-used keys. The List of Revoked Keys section lists the last three revoked keys for your tenant.
Select Revoke to confirm.
Rotate and revoke signing key
In the Rotation Settings section, locate the Rotate & Revoke Signing Key section, and select Rotate & Revoke Key.
Select Rotate & Revoke to confirm.
Use the Management API
You can only revoke the previously used signing key.
To get a list of the signing keys, make a
GETcall to the Get all Application Signing Keys endpoint.Make a
PUTcall to the Revoke an Application Signing Key by its Key ID endpoint. Be sure to replace the{yourKeyId}and{yourMgmtApiAccessToken}placeholder values with your signing key's ID and Management API access token, respectively.curl --request PUT \ --url 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke' \ --header 'authorization: Bearer {yourMgmtApiAccessToken}'Was this helpful?
/var client = new RestClient("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke"); var request = new RestRequest(Method.PUT); request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}"); IRestResponse response = client.Execute(request);Was this helpful?
/package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke" req, _ := http.NewRequest("PUT", url, nil) req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) }Was this helpful?
/HttpResponse<String> response = Unirest.put("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke") .header("authorization", "Bearer {yourMgmtApiAccessToken}") .asString();Was this helpful?
/var axios = require("axios").default; var options = { method: 'PUT', url: 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke', headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); });Was this helpful?
/#import <Foundation/Foundation.h> NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" }; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"PUT"]; [request setAllHTTPHeaderFields:headers]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume];Was this helpful?
/$curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PUT", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiAccessToken}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }Was this helpful?
/import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" } conn.request("PUT", "/{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))Was this helpful?
/require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Put.new(url) request["authorization"] = 'Bearer {yourMgmtApiAccessToken}' response = http.request(request) puts response.read_bodyWas this helpful?
/import Foundation let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"] let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PUT" request.allHTTPHeaderFields = headers let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()Was this helpful?
/Value Description YOUR_KEY_IDID of the signing key to be revoked. To learn how to find your signing key ID, see Locate JSON Web Key Sets. MGMT_API_ACCESS_TOKENAccess Token for the Management API with the scope update:signing_keys.