Revoke Signing Keys

You can revoke your tenant's application or API signing key using the Auth0 Dashboard or the Management API. The signing key is used to sign ID tokens, access tokens, SAML assertions, and WS-Fed assertions sent to your application or API. To learn more, read Signing Keys.

Prerequisites

  • Before you can revoke a previously-used signing key, you must first have rotated the key. To learn more, read Rotate Signing Keys, or see the Rotate and revoke signing key section below.

  • Make sure you have updated your application or API with the new key before you revoke the previous key.

Use the Dashboard

Revoke previously used signing key

  1. Go to Dashboard > Settings > Signing Keys.

  2. In the List of Valid Keys section, locate the Previously Used key, select the more options (...) menu, and select Revoke Key. The List of Valid Keys section lists the current signing key being used by your tenant, plus the next signing key that will be assigned should you choose to rotate your signing keys. If you have previously rotated signing keys, this section also lists the previously-used keys. The List of Revoked Keys section lists the last three revoked keys for your tenant.

  3. Select Revoke to confirm.

Rotate and revoke signing key

  1. Go to Dashboard > Settings > Signing Keys.

  2. In the Rotation Settings section, locate the Rotate & Revoke Signing Key section, and select Rotate & Revoke Key.

  3. Select Rotate & Revoke to confirm.

Use the Management API

  1. To get a list of the signing keys, make a GET call to the Get all Application Signing Keys endpoint.

  2. Make a PUT call to the Revoke an Application Signing Key by its Key ID endpoint. Be sure to replace the {yourKeyId} and {yourMgmtApiAccessToken} placeholder values with your signing key's ID and Management API access token, respectively.

    
    
    curl --request PUT \
      --url 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke' \
      --header 'authorization: Bearer {yourMgmtApiAccessToken}'

    Was this helpful?

    /
    var client = new RestClient("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke");
    var request = new RestRequest(Method.PUT);
    request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
    IRestResponse response = client.Execute(request);

    Was this helpful?

    /
    package main
    
    import (
    	"fmt"
    	"net/http"
    	"io/ioutil"
    )
    
    func main() {
    
    	url := "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke"
    
    	req, _ := http.NewRequest("PUT", url, nil)
    
    	req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
    
    	res, _ := http.DefaultClient.Do(req)
    
    	defer res.Body.Close()
    	body, _ := ioutil.ReadAll(res.Body)
    
    	fmt.Println(res)
    	fmt.Println(string(body))
    
    }

    Was this helpful?

    /
    HttpResponse<String> response = Unirest.put("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke")
      .header("authorization", "Bearer {yourMgmtApiAccessToken}")
      .asString();

    Was this helpful?

    /
    var axios = require("axios").default;
    
    var options = {
      method: 'PUT',
      url: 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke',
      headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'}
    };
    
    axios.request(options).then(function (response) {
      console.log(response.data);
    }).catch(function (error) {
      console.error(error);
    });

    Was this helpful?

    /
    #import <Foundation/Foundation.h>
    
    NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" };
    
    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke"]
                                                           cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                       timeoutInterval:10.0];
    [request setHTTPMethod:@"PUT"];
    [request setAllHTTPHeaderFields:headers];
    
    NSURLSession *session = [NSURLSession sharedSession];
    NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                    if (error) {
                                                        NSLog(@"%@", error);
                                                    } else {
                                                        NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                        NSLog(@"%@", httpResponse);
                                                    }
                                                }];
    [dataTask resume];

    Was this helpful?

    /
    $curl = curl_init();
    
    curl_setopt_array($curl, [
      CURLOPT_URL => "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke",
      CURLOPT_RETURNTRANSFER => true,
      CURLOPT_ENCODING => "",
      CURLOPT_MAXREDIRS => 10,
      CURLOPT_TIMEOUT => 30,
      CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
      CURLOPT_CUSTOMREQUEST => "PUT",
      CURLOPT_HTTPHEADER => [
        "authorization: Bearer {yourMgmtApiAccessToken}"
      ],
    ]);
    
    $response = curl_exec($curl);
    $err = curl_error($curl);
    
    curl_close($curl);
    
    if ($err) {
      echo "cURL Error #:" . $err;
    } else {
      echo $response;
    }

    Was this helpful?

    /
    import http.client
    
    conn = http.client.HTTPSConnection("")
    
    headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" }
    
    conn.request("PUT", "/{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke", headers=headers)
    
    res = conn.getresponse()
    data = res.read()
    
    print(data.decode("utf-8"))

    Was this helpful?

    /
    require 'uri'
    require 'net/http'
    require 'openssl'
    
    url = URI("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke")
    
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    
    request = Net::HTTP::Put.new(url)
    request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
    
    response = http.request(request)
    puts response.read_body

    Was this helpful?

    /
    import Foundation
    
    let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"]
    
    let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke")! as URL,
                                            cachePolicy: .useProtocolCachePolicy,
                                        timeoutInterval: 10.0)
    request.httpMethod = "PUT"
    request.allHTTPHeaderFields = headers
    
    let session = URLSession.shared
    let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
      if (error != nil) {
        print(error)
      } else {
        let httpResponse = response as? HTTPURLResponse
        print(httpResponse)
      }
    })
    
    dataTask.resume()

    Was this helpful?

    /
    Value Description
    YOUR_KEY_ID ID of the signing key to be revoked. To learn how to find your signing key ID, see Locate JSON Web Key Sets.
    MGMT_API_ACCESS_TOKEN Access Token for the Management API with the scope update:signing_keys.

Learn more