Rotation procedures ensure that cryptographic materials and security artifacts remain secure and compliant with organizational policies. Regular rotation reduces the risk of compromise and maintains trust in authentication and encryption mechanisms.

The following table lists the artifacts that require rotation, the triggers for rotation, and the recommended methods:
Artifact Rotation trigger Method
Service account public or private key Periodic rotation every 90–180 days or upon compromise Generate a new key pair, deploy the public key, issue new tokens, and retire the old key
Service account JWT Token expiry or scope change Use remint-all or an external signer pipeline
TLS certificate Certificate expiry based on CA policy Automate renewal using ACME or corporate PKI
JWKS keys As per identity provider rotation schedule Rely on JWKS cache TTL and monitor for failures