Authorization Server Keys

Provides operations to manage JSON Web Key credentials for the given authServerId.

Note: Looking for how to obtain the jwks_uri for your org or custom authorization server? See the well-known OpenID metadata endpoint and the well-known OAuth 2.0 metadata endpoint.

List all credential keys
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all of the current, future, and expired Keys used by the Custom Authorization Server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/credentials/keys
Request samples
Response samples
application/json
[
  • {
    • "status": "ACTIVE",
    • "alg": "RS256",
    • "e": "AQAB",
    • "n": "g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ",
    • "kid": "RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc",
    • "kty": "RSA",
    • "use": "sig",
    },
  • {
    • "status": "NEXT",
    • "alg": "RS256",
    • "e": "AQAB",
    • "n": "l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ",
    • "kid": "Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo",
    • "kty": "RSA",
    • "use": "sig",
    },
  • {}
]

Retrieve an authorization server key
API Access Management
OAuth 2.0: okta.authorizationServers.read

Retrieves an Authorization Server Key specified by the keyId

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
keyId
required
string

id of the certificate key

Example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}
Request samples
Response samples
application/json
{
  • "status": "ACTIVE",
  • "alg": "RS256",
  • "e": "AQAB",
  • "n": "g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ",
  • "kid": "RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc",
  • "kty": "RSA",
  • "use": "sig",
}

Rotate all credential keys
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Rotates the current Keys for a Custom Authorization Server. If you rotate Keys, the ACTIVE Key becomes the EXPIRED Key, the NEXT Key becomes the ACTIVE Key, and the Custom Authorization Server immediately begins using the new active Key to sign tokens.

Note: Okta rotates your Keys automatically in AUTO mode. You can rotate Keys yourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache. and fetch the Keys again using the Keys endpoint.

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Request Body schema: application/json
required
use
string (JwkUseType)

Purpose of the certificate. The only supported value is sig.

Value: "sig"
Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate
Request samples
application/json
{
  • "use": "sig"
}
Response samples
application/json
[
  • {
    • "status": "ACTIVE",
    • "alg": "RS256",
    • "e": "AQAB",
    • "n": "g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ",
    • "kid": "RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc",
    • "kty": "RSA",
    • "use": "sig",
    },
  • {
    • "status": "NEXT",
    • "alg": "RS256",
    • "e": "AQAB",
    • "n": "l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ",
    • "kid": "Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo",
    • "kty": "RSA",
    • "use": "sig",
    },
  • {}
]