Rotate signing keys
If you're using Logto Cloud, you can rotate signing keys in the Console UI, please refer to this tutorial.
Logto OIDC signing keys, as known as โOIDC private keysโ and โOIDC cookie keysโ, are the signing keys used to encrypt JWT tokens (access tokens and ID tokens) and browser cookies in Logto sign-in sessions.
Rotate your signing keys regularly can reduce the risks of potential key compromise. Logto recommends you to rotate your signing keys at least once a year.
Rotate OIDC private signing keysโ
Use the CLI command below to generate a new OIDC private signing key. The new key will be automatically utilized after reboot.
Available options:
--type (Optional) The signing key algorithm for your JWT tokens.
Values are "rsa" or "ec". Defaults to "ec".
- CLI
- local
- npx
logto db config rotate oidc.privateKeys --type rsa
npm run cli db config rotate oidc.privateKeys -- --type rsa
npx @logto/cli db config rotate oidc.privateKeys -- --type rsa
Rotate OIDC cookie keysโ
Use the CLI command below to generate a new OIDC cookie key. The new key will be automatically utilized after reboot.
- CLI
- local
- npx
logto db config rotate oidc.cookieKeys
npm run cli db config rotate oidc.cookieKeys
npx @logto/cli db config rotate oidc.cookieKeys
What about the previous keys?โ
Logto key rotation commands will not delete your previous signing keys, and they will be kept in the database unless you manually delete them.
Also, be cautious when deleting your previous keys, as it may cause unexpected issues. It is recommended to keep both the new key and the previous key for a period of time (e.g. 2 weeks), until you are confident that all your users have migrated to the new key.
Troubleshootingโ
Using Logto as OIDC Provider in Cloudflare Zero Trustโ
If you intend to use Logto as an OIDC provider with Cloudflare Zero Trust, please note that it does not support OIDC providers using ECDSA algorithms. When rotating OIDC private signing keys, ensure you use the RSA algorithm by specifying --type rsa
in the rotation command:
- CLI
- local
- npx
logto db config rotate oidc.privateKeys --type rsa
npm run cli db config rotate oidc.privateKeys -- --type rsa
npx @logto/cli db config rotate oidc.privateKeys -- --type rsa