Key rotation policies

Key rotation is the process of generating a new version of a cryptographic key for data encryption and then replacing the old key. Regular key rotation reduces risk by limiting the amount of data protected by a single key.

PingOne uses key rotation to automatically generate new keys at a particular interval. The default rotation is 90 days, which exceeds industry best practices. New applications automatically use a key from the default key rotation policy (KRP) to sign access tokens and ID tokens. For applications not using the default KRP, you can update the application to the default KRP. Learn more in Updating the key rotation policy for an application.

Beginning March 2, 2027, PingOne will only use signing keys from KRPs to sign ID tokens and access tokens, regardless of whether the audience for the access token is PingOne APIs or custom resources. Any OpenID Connect (OIDC)-based applications not using the KRP will automatically update to use the default KRP on this date.

Application types

KRPs apply to the following PingOne application types:

OIDC
Native
Single page
Worker
Device authorization

Non-worker OIDC-based applications

If the application uses the authorization code grant type and has the p1:read:user self-management scope granted, you can update the application to use the default KRP. Learn more in Updating the key rotation policy for an application and in PingOne self-management scopes in the PingOne API documentation.

Worker applications

You can select the signing key for non-interactive and interactive worker applications to use. PingOne uses the KRP to sign tokens as follows:

Non-interactive worker

If the application uses the client credentials grant type, you can select the signing key for the application to use. If you set the non-interactive worker application to use a KRP, PingOne uses the selected KRP to sign API access tokens. Learn more in Editing an application - Worker.

Interactive worker

If the application uses the authorization code grant type and has the openid scope granted, you can select the signing key for the application to use. If you set the interactive worker application to use a KRP, PingOne uses the selected KRP to sign API access tokens and ID tokens. Learn more in Editing an application - Worker.

Using the admin console

You can manage signing keys for applications in the PingOne admin console as follows:

View the signing key for an application.
Update the signing key for applications not using the default KRP.
For worker applications, select which signing key PingOne should use. Learn more in Editing an application - Worker.

Using the API

You can review and fine-tune KRPs using the PingOne API. Learn more in Key rotation policies in the PingOne Platform API Reference.