Okta automatically rotates signing keys used by Authorization Servers approximately four times a year. Okta generates new keys a few weeks before the rotation to allow downstream systems to update. However, there is no built-in mechanism or event hook designed to trigger notifications before a key rotation occurs. To receive alerts, administrators must monitor the JSON Web Key Set (JWKS) endpoint using Okta Workflows or external automation to detect when a new key appears.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Authorization Servers
• Key Rotation
• Okta Workflows

How can notifications be configured for Okta signing key rotations?

Implement a custom monitoring solution to detect new signing keys using the following recommendations.

• Monitor the JSON Web Key Set (JWKS) endpoint (jwks_uri) periodically and compare the key set to detect when a new key appears.
• Use Okta Workflows or an external automation tool to build a scheduled flow that checks the JWKS endpoint and sends a notification via email or chat when a new key is detected.

Related References

• /keys | Okta Developer
• Key Rotations | Okta Developer
• Send notifications for lifecycle activity | Okta Docs