> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how your tenant's application signing keys work.

# Signing Keys

When you select our recommended <Tooltip tip="Signing Algorithm: Algorithm used to digitally sign tokens to ensure the token has not been tampered with." cta="View Glossary" href="/docs/glossary?term=signing+algorithm">signing algorithm</Tooltip> (RS256), Auth0 uses public-key cryptography to establish trust with your applications. In more general terms, we use a signing key that consists of a public and private key pair.

Signing keys are used to sign <Tooltip tip="Signing Algorithm: Algorithm used to digitally sign tokens to ensure the token has not been tampered with." cta="View Glossary" href="/docs/glossary?term=ID+tokens">ID tokens</Tooltip>, <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=access+tokens">access tokens</Tooltip>, <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> assertions, and <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=WS-Fed">WS-Fed</Tooltip> assertions sent to your application or API. The signing key is a JSON web key (JWK) that contains a well-known public key used to validate the signature of a signed <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JSON+web+token">JSON web token</Tooltip> (JWT). A JSON web key set (JWKS) is a set of keys containing the public keys used to verify any JWT issued by the <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=authorization+server">authorization server</Tooltip> and signed using the RS256 signing algorithm. The service may only use one JWK for validating web tokens, however, the JWKS may contain multiple keys if the service rotated signing certificates.

## How it works

When a user signs in to your application, we create a token that contains information about the user and sign the token using its private key before we send it back to your application. Auth0 secures the private key, which is unique per tenant.

To verify that the token is valid and originated from Auth0, your application validates the token’s signature using the public key. We provide other application security key management capabilities through both our Dashboard and <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.

Auth0 recommends that you rotate keys regularly to ensure you will be ready for action in case of a security breach.

Additional application signing certificates are listed below.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  These links populate using your active tenant to provide you with accurate information. You must be logged in to `auth0.com/docs` with your tenant credentials to access these links.

  To sign in, select **Log in** to the top right. After logging in, you can switch between tenants by selecting your profile icon and choosing **Switch tenant**.
</Callout>

* <AuthLink href="https://{yourDomain}/cer">CER</AuthLink>
* <AuthLink href="https://{yourDomain}/pem">PEM</AuthLink>
* <AuthLink href="https://{yourDomain}/rawpem">raw PEM</AuthLink>
* <AuthLink href="https://{yourDomain}/pb7">PB7</AuthLink>
* <AuthLink href="https://{yourDomain}/fingerprint">Fingerprint</AuthLink>

You can also retrieve this information for individual applications through the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>. To do so, navigate to the **Settings** page for a specific application. Then, expand the **Advanced Settings** and choose the **Certificates** tab.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  We use the application signing key to sign assertions that are sent to applications. These assertions may include ID tokens, access tokens, SAML assertions, and WS-Fed assertions. Note that these keys are different from those used to sign interactions with connections, including signing SAML requests to Identity Providers (IdPs) and encrypting responses from IdPs.

  By default, SAML assertions for IdP connections are signed, which we recommend. To get public keys you can use to configure the IdP, see [SAML Identity Provider Configuration: Signed Assertions](/docs/authenticate/protocols/saml/saml-identity-provider-configuration-settings).
</Callout>

The rotation and revocation process supports your personal preferences and promotes a graceful transition for your application. If you prefer to update your application first, then rotate and revoke your key, you may do that. Alternatively, if you prefer to rotate your key, and then update your application and revoke your old key, you may also do that.

Available keys include:

* **Currently used**: Key that is currently being used to sign all new assertions.
* **Previously used**: Key that was previously used, but has been rotated out. Assertions that were generated with this key will still work.
* **Next in queue**: Key that is queued and will replace the current key when the application signing key is next rotated.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Always test signing key rotation on a development tenant before rotating application signing keys in production.
</Callout>

## Limitations

Rotating your signing key will be subject to a smaller rate limit than other API endpoints. To learn more, read [Management API Rate Limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/management-api-endpoint-rate-limits).

## Learn more

* [Rotate Signing Keys](/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys)
* [Revoke Signing Keys](/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys)
* [View Signing Certificates](/docs/get-started/tenant-settings/signing-keys/view-signing-certificates)
* [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms)