Skip to content

Periodically refresh JWT public key set #87

New issue
New issue
Open
Feature
Open
Periodically refresh JWT public key set#87
Feature
Assignees
tmikula-dev
Labels
enhancementNew feature or request
@tmikula-dev

Description

@tmikula-dev
tmikula-dev
opened on Nov 25, 2025

Background

EventGate currently loads the JWT public key set from the Login Service once at Lambda cold start and then keeps that set for the lifetime of the Lambda execution environment.

The Login Service rotates signing keys as follows:

  1. It generates a new public/private key pair.
  2. It adds the new public key to the exposed key set.
  3. For 30 minutes, it continues signing JWTs with the old key(s) only.
  4. After that grace period, it may start signing with the new key and eventually remove old keys.

Risks:
EventGate not yet having the new key if single Lambda instance exists for too long. Login Service does the rotation, attaches the new key to the key set, and then for 30min doesn't yet use it for signing JWTs.

Feature

Add a periodic, automatic refresh of the JWT public key set inside EventGate.

Source comment link

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions