Key Rotation Options (KeyRotationOptions)
Licensing
-
Licensee:
string
The licensee value received upon purchase of a license. -
LicenseKey:
string
The license key received upon purchase of a license.
Key Rotation Settings
-
CheckInterval:
int
Specifies the interval (in seconds) at which the key rotation check logic runs. Defaults to 7,200 seconds (2 hours). -
EnableSigningKeyRotation:
boolSpecifies if KeyRotation should be responsible for managing signing keys. Defaults to true. -
EnableEncryptionKeyRotation:
boolSpecifies if KeyRotation should be responsible for managing encryption keys. Defaults to false. Read! -
SigningKeyPublishTime:
TimeSpan
The time before a signing key becomes active, during which it is visible in the JWK discovery document but not yet used to sign tokens. Defaults to 7 days. -
SigningKeyLifetime:
TimeSpan
The period during which a signing key is actively used to sign tokens. Defaults to 90 days. This setting applies only to newly generated keys—once created, a key's lifetime is fixed. -
SigningKeyRetirementTime:
TimeSpan
The period after a signing key is no longer active but remains visible in the JWK discovery document to validate tokens issued before its expiration. Defaults to 7 days.
Consider Client Cache Lifetimes
When configuring SigningKeyPublishTime, consider how long your clients cache discovery documents. If the cache duration exceeds the publish time, clients may fail to retrieve updated keys in time.
Similarly, when setting SigningKeyRetirementTime, ensure it accommodates the potential lifetime of any tokens issued using the retiring key.
-
EncryptionKeyLifetime:
TimeSpan
The period during which a encryption key is actively used to encryption. Defaults to 90 days. This setting applies only to newly generated keys—once created, a key's lifetime is fixed. -
EncryptionKeyRetirementTime:
TimeSpan
The period after a encryption key is no longer active but remains in options for decryption purpouses. Defaults to 7 days.
Key Generation Settings
-
SigningKeyType:
SupportedKeyTypes
Specifies the type of signing key to generate when a new key is needed. Defaults toSupportedKeyTypes.RSA. Allowed types are SupportedKeyTypes.Rsa or SupportedKeyTypes.Ecdsa. -
EncryptionKeyType:
SupportedKeyTypes
Specifies the type of encryption key to generate when a new key is needed. Defaults toSupportedKeyTypes.RSA. Allowed types are SupportedKeyTypes.Rsa or SupportedKeyTypes.Aes. -
AesKeySize:
intThe size of the AES key to be generated. Defaults to 256 bits. -
RsaKeySize:
int
The size of the RSA key to be generated. Defaults to 2048 bits. -
EcCurveType:
EcCurveType
Specifies the curve type used for generating ECDSA keys. Available options are'Ps256','Ps384', and'Ps512'. Defaults to'Ps256'.