Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey team - looking for clarification on key rotation behavior and best practices:

1. Your docs mention that during rotation, Ory uses the "first" key in the keyset for signing new tokens. However, when adding a new key at the top, it seems to continue using the old key for several days. Is this expected behavior?

2. For services verifying tokens during rotation periods:
   - Should we verify against multiple keys in the JWKS?
   - Is there documentation on recommended client-side handling?

Would appreciate any guidance, particularly around the grace period behavior and client implementation details.