Revoke Signing Keys

You can revoke your tenant's application or API signing key using the Auth0 Dashboard or the Management API. The signing key is used to sign ID tokens, access tokens, SAML assertions, and WS-Fed assertions sent to your application or API. To learn more, read Signing Keys.

Prerequisites

  • Before you can revoke a previously-used signing key, you must first have rotated the key. To learn more, read Rotate Signing Keys, or see the Rotate and revoke signing key section below.

  • Make sure you have updated your application or API with the new key before you revoke the previous key.

You cannot reuse a signing key after revocation, so be sure that you want to revoke it.

Use the Dashboard

Revoke previously used signing key

  1. Go to Dashboard > Settings > Signing Keys.

  2. In the List of Valid Keys section, locate the Previously Used key, select the more options (...) menu, and select Revoke Key. The List of Valid Keys section lists the current signing key being used by your tenant, plus the next signing key that will be assigned should you choose to rotate your signing keys. If you have previously rotated signing keys, this section also lists the previously-used keys. The List of Revoked Keys section lists the last three revoked keys for your tenant.

  3. Select Revoke to confirm.

Rotate and revoke signing key

  1. Go to Dashboard > Settings > Signing Keys.

  2. In the Rotation Settings section, locate the Rotate & Revoke Signing Key section, and select Rotate & Revoke Key.

  3. Select Rotate & Revoke to confirm.

Use the Management API

You can only revoke the previously used signing key.

  1. To get a list of the signing keys, make a GET call to the Get all Application Signing Keys endpoint.

  2. Make a PUT call to the Revoke an Application Signing Key by its Key ID endpoint. Be sure to replace the YOUR_KEY_ID and MGMT_API_ACCESS_TOKEN placeholder values with your signing key's ID and Management API access token, respectively.

    
    
    curl --request PUT \
      --url 'https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke' \
      --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN'
    var client = new RestClient("https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke");
    var request = new RestRequest(Method.PUT);
    request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN");
    IRestResponse response = client.Execute(request);
    package main
    
    import (
    	"fmt"
    	"net/http"
    	"io/ioutil"
    )
    
    func main() {
    
    	url := "https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke"
    
    	req, _ := http.NewRequest("PUT", url, nil)
    
    	req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
    
    	res, _ := http.DefaultClient.Do(req)
    
    	defer res.Body.Close()
    	body, _ := ioutil.ReadAll(res.Body)
    
    	fmt.Println(res)
    	fmt.Println(string(body))
    
    }
    HttpResponse<String> response = Unirest.put("https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke")
      .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
      .asString();
    var axios = require("axios").default;
    
    var options = {
      method: 'PUT',
      url: 'https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke',
      headers: {authorization: 'Bearer MGMT_API_ACCESS_TOKEN'}
    };
    
    axios.request(options).then(function (response) {
      console.log(response.data);
    }).catch(function (error) {
      console.error(error);
    });
    #import <Foundation/Foundation.h>
    
    NSDictionary *headers = @{ @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN" };
    
    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke"]
                                                           cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                       timeoutInterval:10.0];
    [request setHTTPMethod:@"PUT"];
    [request setAllHTTPHeaderFields:headers];
    
    NSURLSession *session = [NSURLSession sharedSession];
    NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                    if (error) {
                                                        NSLog(@"%@", error);
                                                    } else {
                                                        NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                        NSLog(@"%@", httpResponse);
                                                    }
                                                }];
    [dataTask resume];
    $curl = curl_init();
    
    curl_setopt_array($curl, [
      CURLOPT_URL => "https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke",
      CURLOPT_RETURNTRANSFER => true,
      CURLOPT_ENCODING => "",
      CURLOPT_MAXREDIRS => 10,
      CURLOPT_TIMEOUT => 30,
      CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
      CURLOPT_CUSTOMREQUEST => "PUT",
      CURLOPT_HTTPHEADER => [
        "authorization: Bearer MGMT_API_ACCESS_TOKEN"
      ],
    ]);
    
    $response = curl_exec($curl);
    $err = curl_error($curl);
    
    curl_close($curl);
    
    if ($err) {
      echo "cURL Error #:" . $err;
    } else {
      echo $response;
    }
    import http.client
    
    conn = http.client.HTTPSConnection("")
    
    headers = { 'authorization': "Bearer MGMT_API_ACCESS_TOKEN" }
    
    conn.request("PUT", "/YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke", headers=headers)
    
    res = conn.getresponse()
    data = res.read()
    
    print(data.decode("utf-8"))
    require 'uri'
    require 'net/http'
    require 'openssl'
    
    url = URI("https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke")
    
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    
    request = Net::HTTP::Put.new(url)
    request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN'
    
    response = http.request(request)
    puts response.read_body
    import Foundation
    
    let headers = ["authorization": "Bearer MGMT_API_ACCESS_TOKEN"]
    
    let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/api/v2/keys/signing/YOUR_KEY_ID/revoke")! as URL,
                                            cachePolicy: .useProtocolCachePolicy,
                                        timeoutInterval: 10.0)
    request.httpMethod = "PUT"
    request.allHTTPHeaderFields = headers
    
    let session = URLSession.shared
    let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
      if (error != nil) {
        print(error)
      } else {
        let httpResponse = response as? HTTPURLResponse
        print(httpResponse)
      }
    })
    
    dataTask.resume()
    Value Description
    YOUR_KEY_ID ID of the signing key to be revoked. To learn how to find your signing key ID, see Locate JSON Web Key Sets.
    MGMT_API_ACCESS_TOKEN Access Token for the Management API with the scope update:signing_keys.

Learn more