Service account key rotation
- Last Updated: February 11, 2026
- 1 minute read
- OpenEdge
- Version 13.0
- Documentation
This topic describes recommendations for service account (SA) key rotation and provides steps
for rotating static Ed25519 keys and JWKS-backed keys.
Recommendations for key rotation
The following table summarizes key rotation aspects and recommended practices:
| Aspect | Recommendation |
|---|---|
| Key type | Use Ed25519, which is the default or
RS256 when integrating with JWKS. |
| Rotation interval | Rotate keys every 90 days in development environments and every 30 to 60 days in production environments that handle sensitive data. |
| Overlap | Keep the previous public key available until all tokens minted with it have expired. |
Rotate static Ed25519 keys
Follow these steps to rotate static
Ed25519 keys:- Use
mcpgenor external tooling to generate a new key pair. - Update the profile or the exported bundle secret source with the new private key.
- If token verification is externalized, for example downstream auditing, keep the old public key available until all tokens signed with it expire.
- Generate new SA tokens using the updated key.
- Securely delete the old private key after all tokens using it have expired.
Rotate JWKS-backed keys
JWKS rotation is managed by the identity provider (IdP). The OpenEdge MCP Server consumes new
keys when the JWKS cache expires. After configuring JWKS rotation, verify these
settings to maintain reliable key updates:
- Ensure that the
jwks_cache_secondssetting is configured to a small but reasonable value, such as 300 to 900 seconds, to pick up rotations promptly. - Monitor for verification failures, such as bursts of HTTP 401 errors, which may indicate premature removal of old keys.