View Signing Certificates
You can view your tenant's application client secrets and signing keys using the Auth0 Dashboard or the Management API. The application signing key is used to sign ID tokens, access tokens, SAML assertions, and WS-Fed assertions sent to your application. These keys are different from those used to sign interactions with connections, including signing SAML requests to identity providers (IdPs) and encrypting responses from IdPs. By default, SAML assertions for IdP connections are signed, which we recommend. To learn more, read SAML Identity Provider Configuration Settings.
Use the Dashboard
Tenant settings
Go to Dashboard > Settings > Signing Keys.
In the Rotation Settings section, locate List of Valid Keys and List of Revoked Keys.
The List of Valid Keys section lists the current signing key being used by your tenant, plus the next signing key that will be assigned should you choose to rotate your signing keys. If you have previously rotated signing keys, this section also lists the previously-used keys.
The List of Revoked Keys section lists the last three revoked keys for your tenant.
Application settings
You can also view an application's signing key and/or client secret depending on the type of signing algorithm you are using.
If using the RS256 signing algorithm
Go to Dashboard > Applications, and select the name of the application to view.
Scroll to the bottom of the Settings tab, and select Advanced Settings.
Go to the Certificates tab and locate the Signing Certificate field.
If using the HS256 signing algorithm
Go to Dashboard > Applications, and select the name of the application to view.
Under Basic Information, locate the Client Secret field for the client secret.
Use the Management API
Get all signing keys
Make a GET call to the /signing_keys/get_signing_keys endpoint. Be sure to replace the {yourMgmtApiAccessToken} placeholder value with your Management API Access Token.
curl --request GET \
--url 'https://{yourDomain}/api/v2/keys/signing' \
--header 'authorization: Bearer {yourMgmtApiAccessToken}'Was this helpful?
var client = new RestClient("https://{yourDomain}/api/v2/keys/signing");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
IRestResponse response = client.Execute(request);Was this helpful?
package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{yourDomain}/api/v2/keys/signing"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}Was this helpful?
HttpResponse<String> response = Unirest.get("https://{yourDomain}/api/v2/keys/signing")
.header("authorization", "Bearer {yourMgmtApiAccessToken}")
.asString();Was this helpful?
var axios = require("axios").default;
var options = {
method: 'GET',
url: 'https://{yourDomain}/api/v2/keys/signing',
headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'}
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});Was this helpful?
#import <Foundation/Foundation.h>
NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" };
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/keys/signing"]
cachePolicy:NSURLRequestUseProtocolCachePolicy
timeoutInterval:10.0];
[request setHTTPMethod:@"GET"];
[request setAllHTTPHeaderFields:headers];
NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
if (error) {
NSLog(@"%@", error);
} else {
NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
NSLog(@"%@", httpResponse);
}
}];
[dataTask resume];Was this helpful?
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{yourDomain}/api/v2/keys/signing",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HTTPHEADER => [
"authorization: Bearer {yourMgmtApiAccessToken}"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}Was this helpful?
import http.client
conn = http.client.HTTPSConnection("")
headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" }
conn.request("GET", "/{yourDomain}/api/v2/keys/signing", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))Was this helpful?
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{yourDomain}/api/v2/keys/signing")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(url)
request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
response = http.request(request)
puts response.read_bodyWas this helpful?
import Foundation
let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"]
let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/keys/signing")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()Was this helpful?
| Value | Description |
|---|---|
MGMT_API_ACCESS_TOKEN |
Access Token for the Management API with the scope read:signing_keys. |
Get a single signing key
Make a GET call to the /signing_keys/get_signing_key endpoint. Be sure to replace the {yourKeyId} and {yourMgmtApiAccessToken} placeholder values with your signing key's ID and Management API Access Token, respectively.
curl --request GET \
--url 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D' \
--header 'authorization: Bearer {yourMgmtApiAccessToken}'Was this helpful?
var client = new RestClient("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
IRestResponse response = client.Execute(request);Was this helpful?
package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}Was this helpful?
HttpResponse<String> response = Unirest.get("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D")
.header("authorization", "Bearer {yourMgmtApiAccessToken}")
.asString();Was this helpful?
var axios = require("axios").default;
var options = {
method: 'GET',
url: 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D',
headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'}
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});Was this helpful?
#import <Foundation/Foundation.h>
NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" };
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D"]
cachePolicy:NSURLRequestUseProtocolCachePolicy
timeoutInterval:10.0];
[request setHTTPMethod:@"GET"];
[request setAllHTTPHeaderFields:headers];
NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
if (error) {
NSLog(@"%@", error);
} else {
NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
NSLog(@"%@", httpResponse);
}
}];
[dataTask resume];Was this helpful?
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HTTPHEADER => [
"authorization: Bearer {yourMgmtApiAccessToken}"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}Was this helpful?
import http.client
conn = http.client.HTTPSConnection("")
headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" }
conn.request("GET", "/{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))Was this helpful?
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(url)
request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
response = http.request(request)
puts response.read_bodyWas this helpful?
import Foundation
let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"]
let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()Was this helpful?
| Value | Description |
|---|---|
YOUR_KEY_ID |
ID of the signing key to be viewed. To learn how to find your signing key ID, see Locate JSON Web Key Sets. |
MGMT_API_ACCESS_TOKEN |
Access Token for the Management API with the scope read:signing_keys. |