Authorization Server Keys

Provides operations to manage JSON Web Key credentials for the given authServerId.

Note: Looking for how to obtain the jwks_uri for your org or custom authorization server? See the well-known OpenID metadata endpoint and the well-known OAuth 2.0 metadata endpoint.

List all Credential Keys
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all of the current, future, and expired Keys used by the Custom Authorization Server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/credentials/keys
Request samples 
Response samples 
application/json
[
  • {
    • "status": "ACTIVE",
    • "alg": "RS256",
    • "e": "AQAB",
    • "n": "g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ",
    • "kid": "RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc",
    • "kty": "RSA",
    • "use": "sig",
    • "_links": {}
    },
  • {
    • "status": "NEXT",
    • "alg": "RS256",
    • "e": "AQAB",
    • "n": "l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ",
    • "kid": "Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo",
    • "kty": "RSA",
    • "use": "sig",
    • "_links": {}
    },
  • {}
]
Retrieve an Authorization Server Key
API Access Management
OAuth 2.0: okta.authorizationServers.read
Retrieves an Authorization Server Key specified by the keyId


Request 
path Parameters
authServerId
required
string
id of the Authorization Server


 
 Example:  GeGRTEr7f3yu2n7grw22
keyId
required
string
id of the certificate key


 
 Example:  P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}
Request samples 
Response samples 
application/json
{
  • "status": "ACTIVE",
  • "alg": "RS256",
  • "e": "AQAB",
  • "n": "g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ",
  • "kid": "RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc",
  • "kty": "RSA",
  • "use": "sig",
  • "_links": {}
}
Rotate all Credential Keys
API Access Management
OAuth 2.0: okta.authorizationServers.manage
Rotates the current Keys for a Custom Authorization Server. If you rotate Keys, 
the ACTIVE Key becomes the EXPIRED Key, the NEXT Key becomes the ACTIVE Key, 
and the Custom Authorization Server immediately begins using the new active 
Key to sign tokens.




Note: Okta rotates your Keys automatically in AUTO mode. You can rotate Keys 
yourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache 
and fetch the Keys again using the Keys endpoint.




Request 
path Parameters
authServerId
required
string
id of the Authorization Server


 
 Example:  GeGRTEr7f3yu2n7grw22
Request Body schema: application/json
required
use
string (JwkUseType) 
Purpose of the certificate. The only supported value is sig.


 Value: "sig"  
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate
Request samples 
application/json
{
  • "use": "sig"
}
Response samples 
application/json
[
  • {
    • "status": "ACTIVE",
    • "alg": "RS256",
    • "e": "AQAB",
    • "n": "g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ",
    • "kid": "RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc",
    • "kty": "RSA",
    • "use": "sig",
    • "_links": {}
    },
  • {
    • "status": "NEXT",
    • "alg": "RS256",
    • "e": "AQAB",
    • "n": "l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ",
    • "kid": "Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo",
    • "kty": "RSA",
    • "use": "sig",
    • "_links": {}
    },
  • {}
]