Key Rotation with JWKS endpoint

We use JWKS endpoints to support the rotation of signing keys

The JWKS endpoint provides a dynamic, centralised source for public keys. Here's how it works:

1. Generate a new key pair: You generate a new private/public key pair with a new, unique kid (Key ID).
2. Add the new key to the JWKS: You add the public key from the new pair to your existing JWKS, which you serve at your public endpoint (/.well-known/jwks.json). The JWKS now contains at least two keys: the old one and the new one.
3. Start signing with the new key: Your server begins signing all new JWTs with the new private key and includes the new kid in the JWT header.
4. Moneyhub handle both keys: When Moneyhub receives a JWT, it first checks the kid in the header.
   • If the kid matches a key it already has, it uses that key to verify the token.
   • If the kid doesn't match, it fetches the updated JWKS from your public endpoint, finds the correct key, and then verifies the token.
5. Graceful deprecation: After a predetermined amount of time (e.g., 24 hours), you can remove the old key from your JWKS, completing the rotation without ever disrupting service for your clients/users.

This process ensures a seamless transition, allowing services to automatically adapt to new keys without requiring any manual intervention. It makes key management scalable and significantly improves the overall security posture of your system.

Key Rotation with raw JWKS in Admin Portal

This version is similar to the previous one, except that in step 2, you must log into Admin Portal and then add the new JWK to the existing JWKS in your client configuration.

You then continue as expected, and when it's time to deprecate the old key, you need to log into Admin Portal again and remove only the old key from your JWKS.