Unimoni
Create account
Documentation/Security

JWT key rotation

The embed JWT is signed with a key from an in-memory store. Each key has a kid — stated in the JWT header.

Rotation

/app/security → JWT signing keys → Generate a new key.

  • The new key becomes active
  • Old keys become passive — they validate existing JWTs until their exp but don't sign new ones
  • When all JWTs signed with an old key have expired, it is deleted automatically

Forced invalidation

KeyRevocator can mark a kid as revoked BEFORE its natural TTL — for example, on a suspected key compromise. All existing JWTs with that kid are rejected immediately.

← Previous
Audit log