Skip to main content

Rotate signing keys (OSS)

note

If you're using Logto Cloud, you can rotate signing keys in the Console UI, please refer to this tutorial.

Logto OSS has supported rotating signing keys since v1.8.

Logto OIDC signing keys, as known as “OIDC private keys” and “OIDC cookie keys”, are the signing keys used to encrypt JWT tokens (access tokens and ID tokens) and browser cookies in Logto sign-in sessions.

Rotate your signing keys regularly can reduce the risks of potential key compromise. Logto recommends you to rotate your signing keys at least once a year.

Rotate OIDC private signing keys

Use the CLI command below to generate a new OIDC private signing key. The new key will be automatically utilized after reboot.

Available options:

--type    (Optional) The signing key algorithm for your JWT tokens.
          Values are "rsa" or "ec". Defaults to "ec".
logto db config rotate oidc.privateKeys --type rsa

Use the CLI command below to generate a new OIDC cookie key. The new key will be automatically utilized after reboot.

logto db config rotate oidc.cookieKeys

What about the previous keys?

Logto key rotation commands will not delete your previous signing keys, and they will be kept in the database unless you manually delete them.

Also, be cautious when deleting your previous keys, as it may cause unexpected issues. It is recommended to keep both the new key and the previous key for a period of time (e.g. 2 weeks), until you are confident that all your users have migrated to the new key.

Troubleshooting

Using Logto as OIDC Provider in Cloudflare Zero Trust

If you intend to use Logto as an OIDC provider with Cloudflare Zero Trust, please note that it does not support OIDC providers using ECDSA algorithms. When rotating OIDC private signing keys, ensure you use the RSA algorithm by specifying --type rsa in the rotation command:

logto db config rotate oidc.privateKeys --type rsa