Skip to main content

Access Token signing key rotation

About

Access Token signing key rotation implies that the secret key for signing the access tokens will be changed at a fixed time interval. This reduces the risk of key theft.

info
  • Existing logged in users are not logged out on key change.
  • This feature is enabled by default.

Changing the key rotation interval

docker run \
  -p 3567:3567 \
  // highlight-start
  -e ACCESS_TOKEN_DYNAMIC_SIGNING_KEY_UPDATE_INTERVAL=168 \
  // highlight-end
  -d registry.supertokens.io/supertokens/supertokens-<db name>
  • access_token_dynamic_signing_key_update_interval
    • Time in hours for how frequently the signing key will change.
    • It must be set to a number value with, the default value set to 168
info

For managed service, this value can be updated by visiting our dashboard.

Using static keys to sign access tokens

If you do not want to use dynamic keys for session creation, then you can tell SuperTokens to use the static key instead. This is useful in cases where you want to hardcode the public key for JWT verification in some process.

import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";

SuperTokens.init({
    supertokens: {
        connectionURI: "...",
    },
    appInfo: {
        apiDomain: "...",
        appName: "...",
        websiteDomain: "..."
    },
    recipeList: [
        Session.init({
            useDynamicAccessTokenSigningKey: false,
        })
    ]
});
caution

Updating this value will cause a spike in the session refresh API, as and when users visit your application.