I am looking at automating regular rotations of the Keycloak Signing Key in each realm.
It’s easy enough to have it create a new Key with the REST API, but I was struggling finding in the documentation how to set an expiration date.
I also don’t want to have to “bring my own key”, I’d much rather it just get generated internally to Keycloak with the expiration I define. That’s the hope at least - i.e., call the API to tell it to create a new RSA 2048 key with 60 day expiration.
In the KeyMetadataRepresentation lists a “validTo” but that doesn’t seem to be it, or if it is I’m missing the format somewhere (epoch didn’t work, neither did things like 2026-03-07T13:15:43.587209).
Anyone know where in the documentation I’m missing it? Know how to set the expiration when calling the REST API? Or just not possible without bringing our own custom key?
E.g., …/myrealm/components
I need a way to specify a shorter expiry than the default 10 year one.
"config": {
"keySize": [
"2048"
],
"active": [
"true"
],
"priority": [
"200"
],
"enabled": [
"true"
],
"algorithm": [
"RS256"
}
}