Key Configuration
Auth Service uses keys for platform signing workflows and, in supported provider modes, Auth Service-issued tokens.
Key Uses
Section titled “Key Uses”- DID signing for governance evidence and integrity workflows.
- Platform and service-account signing operations.
- Token signing for Keycloak and Microsoft Entra token-exchange deployments.
Auth0 and generic OIDC deployments rely on provider-issued user tokens and do not use Auth Service token exchange.
Supported Key Providers
Section titled “Supported Key Providers”Use Azure Key Vault, AWS KMS, or Google Cloud KMS for customer environments. Use the mock provider only for local development or test environments.
Rotation Guidance
Section titled “Rotation Guidance”Plan key rotation during a maintenance window. Confirm downstream services can validate newly signed material before retiring old keys. Keep audit records for key changes and never publish private key material in release documentation.
Troubleshooting
Section titled “Troubleshooting”If signing or token exchange fails, confirm the key provider is reachable, the configured key exists, and Auth Service has permission to use it.