Skip to content

Key Configuration

Auth Service uses keys for platform signing workflows and, in supported provider modes, Auth Service-issued tokens.

  • DID signing for governance evidence and integrity workflows.
  • Platform and service-account signing operations.
  • Token signing for Keycloak and Microsoft Entra token-exchange deployments.

Auth0 and generic OIDC deployments rely on provider-issued user tokens and do not use Auth Service token exchange.

Use Azure Key Vault, AWS KMS, or Google Cloud KMS for customer environments. Use the mock provider only for local development or test environments.

Plan key rotation during a maintenance window. Confirm downstream services can validate newly signed material before retiring old keys. Keep audit records for key changes and never publish private key material in release documentation.

If signing or token exchange fails, confirm the key provider is reachable, the configured key exists, and Auth Service has permission to use it.