Skip to main content

Access Token signing key rotation


Access Token signing key rotation implies that the secret key for signing the access tokens will be changed at a fixed time interval. This reduces the risk of key theft.

  • Existing logged in users are not logged out on key change.
  • This feature is enabled by default.

Changing the key rotation interval#

docker run \
-p 3567:3567 \
-d<db name>
  • access_token_dynamic_signing_key_update_interval
    • Time in hours for how frequently the signing key will change.
    • It must be set to a number value with, the default value set to 168

For managed service, this value can be updated by visiting our dashboard.

Using static keys to sign access tokens#

If you do not want to use dynamic keys for session creation, then you can tell SuperTokens to use the static key instead. This is useful in cases where you want to hardcode the public key for JWT verification in some process.

import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";

supertokens: {
connectionURI: "...",
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
recipeList: [
useDynamicAccessTokenSigningKey: false,

Updating this value will cause a spike in the session refresh API, as and when users visit your application.

Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI