Rotate JWKS public/private keypair on Service App

We are using Service App (client credentials grant flow) with Okta Java SDK to access Okta API.

I have created the Service App by following
https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/overview/

We need to rotate the JWKS/public private keys, looks like I can update the public key using “Update Client Application” (see link below), but I don’t see how to specify the key to be used on the Client (old vs new key, when the key is updated)

https://developer.okta.com/docs/reference/api/oauth-clients/#update-a-client-application

I found below link, and it looks like the key id (“kid”), needs to be set to specify the key to be used, but I don’t see a way to set the kid using Okta Java SDK.

Since you’re using OAuth for Okta, you are using the org authorization server.

Unfortunately, you can not rotate the keys manually but Okta will rotate them automatically.

You can’t manually rotate the Org Authorization Server’s signing keys.

https://developer.okta.com/docs/concepts/key-rotation/#key-rotation-for-the-org-authorization-server

I was talking about rotating the keys/key pair on Service app (Overview | Okta Developer)

And below how we connect to Okta API via Okta Java SDK.

Client client = Clients.builder()
.setOrgUrl(orgUrl)
.setClientId(client id of the service app)
.setAuthorizationMode(AuthorizationMode.PRIVATE_KEY)
.setPrivateKey(privateKey())
setScopes(okta api scopes)
.build();

Note the privateKey() method above, returns the Private Key, my questions how to rotate the public key on the Okta Service app ? That way if the public key is rotated, the privateKey() method will return new private key associated with the latest public key update on the Service App.

Sorry I misread your question. You’re correct, you can use the Clients endpoint to update the JWKS for the service app. It would be similar to the step from here:
https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/create-serviceapp-grantscopes/#create-a-service-app

Note: You can’t use the access token from a service app to update the JWKS for the service app itself. You will need to use an Okta API token instead to make the request.