When Okta will add the new JWK public key in GET api/v1/authorizationServers/{authServerID}/credentials/keys

The API docs for Get Authorization Server Keys shows that we can get the NEXT JWK (i.e status is NEXT)

However, when I tried using our tenant, it only shows the active. So the question is when the NEXT JWK will be available in the API?

Are you using the default auth server ({your_okta_org}/oauth2/deafult) or a custom one?

@arinto I came across some information that explains this - What you are seeing is expected behavior:

Okta generates the NEXT key halfway through the life of the CURRENT key. Since it’s auto-rotated every 90 days (roughly), then around day 45, you’ll have the NEXT key available. If there is an emergency rotation or you rotate it manually, that window will be shorter.

Essentially, the NEXT signing key is available ~45 days in advance and the PREV signing key is available ~45 days after Okta stops issuing tokens with it. Hope this helps!

Allright, when is the NEXT key available in JWKs endpoint?
Will there be a case where both ACTIVE and NEXT keys exposed at the same time in JWKs endpoint?

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.