Skip to main content

Rotate signing keys

Cloud availabilityOSS availability
info

If you're using Logto Cloud, you can rotate signing keys in the Console UI, please refer to this tutorial.

Logto OIDC signing keys, as known as โ€œOIDC private keysโ€ and โ€œOIDC cookie keysโ€, are the signing keys used to encrypt JWT tokens (access tokens and ID tokens) and browser cookies in Logto sign-in sessions.

Rotate your signing keys regularly can reduce the risks of potential key compromise. Logto recommends you to rotate your signing keys at least once a year.

Rotate OIDC private signing keysโ€‹

Use the CLI command below to generate a new OIDC private signing key. The new key will be automatically utilized after reboot.

Available options:

--type    (Optional) The signing key algorithm for your JWT tokens.
          Values are "rsa" or "ec". Defaults to "ec".
logto db config rotate oidc.privateKeys --type rsa

Use the CLI command below to generate a new OIDC cookie key. The new key will be automatically utilized after reboot.

logto db config rotate oidc.cookieKeys

What about the previous keys?โ€‹

Logto key rotation commands will not delete your previous signing keys, and they will be kept in the database unless you manually delete them.

Also, be cautious when deleting your previous keys, as it may cause unexpected issues. It is recommended to keep both the new key and the previous key for a period of time (e.g. 2 weeks), until you are confident that all your users have migrated to the new key.

Troubleshootingโ€‹

Using Logto as OIDC Provider in Cloudflare Zero Trustโ€‹

If you intend to use Logto as an OIDC provider with Cloudflare Zero Trust, please note that it does not support OIDC providers using ECDSA algorithms. When rotating OIDC private signing keys, ensure you use the RSA algorithm by specifying --type rsa in the rotation command:

logto db config rotate oidc.privateKeys --type rsa