Signing Keys

Signing Keys are the private keys or certificates TokenIDP uses to sign issued tokens. APIs validate those tokens by reading the matching public keys from JWKS.

Responsibilities

Keep private signing material protected.
Publish public validation keys through JWKS.
Rotate keys with enough overlap for existing tokens to expire.

Common Pitfalls

Removing an old key before all tokens signed by it have expired.
Configuring APIs to pin one key instead of using JWKS.

Troubleshooting

If APIs reject valid-looking tokens, compare the token kid header with the keys currently published in JWKS.