How to Set an Authorization Server to Manually Rotate Keys in Okta
May 19, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
All Engines
Overview
This article describes how to configure an Okta Custom Authorization Server to use manual signing key rotation instead of the default automatic key rotation feature.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- API Access Management
- Key Rotation
Solution
NOTE: Manual key rotation should be used only when automatic key rotation is not feasible. If there is a security incident, Okta rotates all keys as part of a defensive maneuver; this setting may conflict during that process.
Navigate to the API security settings in the Okta Admin Console, change the signing key rotation value to manual, and rotate the signing keys.
- Go to Security > API in the Okta Admin Console.
- Select the relevant authorization server.
- Change the value of Signing Key Rotation to Manual and click Save.
- Go to the authorization server Settings tab and click Rotate Signing Keys to manually rotate the keys.
NOTE: The Rotate Signing Keys button and the Valid Signing Keys section only display when the Signing Key Rotation option is set to Manual.
