Rotate signing keys
Logto OIDC signing keys, as known as “OIDC private keys” and “OIDC cookie keys”, are the signing keys used to encrypt JWT tokens (access tokens and ID tokens) and browser cookies in Logto sign-in sessions.
Rotate your signing keys regularly can reduce the risks of potential key compromise. Logto recommends you to rotate your signing keys at least once a year.
Rotate OIDC private signing keys
Use the CLI command below to generate a new OIDC private signing key. The new key will be automatically utilized after reboot.
--type (Optional) The signing key algorithm for your JWT tokens.
Values are "rsa" or "ec". Defaults to "ec".
logto db config rotate oidc.privateKeys --type rsa
npm run cli db config rotate oidc.privateKeys -- --type rsa
npx @logto/cli db config rotate oidc.privateKeys -- --type rsa
Rotate OIDC cookie keys
Use the CLI command below to generate a new OIDC cookie key. The new key will be automatically utilized after reboot.
logto db config rotate oidc.cookieKeys
npm run cli db config rotate oidc.cookieKeys
npx @logto/cli db config rotate oidc.cookieKeys
What about the previous keys?
Logto key rotation commands will not delete your previous signing keys, and they will be kept in the database unless you manually delete them.
Also, be cautious when deleting your previous keys, as it may cause unexpected issues. It is recommended to keep both the new key and the previous key for a period of time (e.g. 2 weeks), until you are confident that all your users have migrated to the new key.