Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

Stop Babysitting Signing Keys

Automated lifecycle management for signing and validation keys: generation, rotation, propagation, and retirement. Native to IdentityServer. Zero-downtime by design.

View Documentation View Pricing & Tiers
digital key graphic

What Wonderful Cryptographic Hygiene!

Key rotation is the identity infrastructure discipline everyone knows matters and almost nobody does well. Doing it correctly without breaking production requires careful coordination across discovery endpoints, cache lifetimes, and token expiry windows. Get any of it wrong and token validation breaks across every connected application at once. Automatic Key Management makes the correct path the default.

Automated Full Lifecycle

Responsible key rotation is a multi-step, complex choreography: new keys must be announced before they're used, then retained after retirement until it's safe to delete them. Miss a step and users can't log in. IdentityServer handles the full sequence natively. No external tooling, no calendar reminders, no manual rollover.

Zero-Downtime Rollover by Design

Keys are propagated to connected applications before old keys expire. Token validation chains never break during rotation. The capability is engineered to minimize potential outages.

No External Dependency

Automatic Key Management builds on the ASP.NET Core security primitives you already trust rather than reinventing key management, a task that's both time-consuming to get right and risky to get wrong. No third-party service to procure, integrate, or maintain. Runs wherever IdentityServer runs, including air-gapped, sovereign, and embedded deployments.

Capabilities

Eliminate one of the most common and most preventable causes of identity infrastructure outages. Keys are managed as infrastructure, not as a manual task that one developer remembers.

  • Generation on a configurable schedule using current best-practice algorithms
  • Automatic rotation through the Announce → Sign → Retire → Delete lifecycle
  • Encrypted storage at rest via ASP.NET Core Data Protection
  • Multi-algorithm support across RS, PS, and ES families
  • X.509 certificate wrapping, optional per algorithm
  • Discovery publication so client caches refresh before old keys expire
  • Validation continuity for in-flight tokens during rotation
  • Scheduled retirement of keys no longer in active use
digital star graphic digital star graphic
digital star graphic

How to Get It

Automatic Key Management is included as a capability of Duende IdentityServer across all eligible tiers:

View Documentation View Pricing & Tiers

Tier

Availability

Community Edition Not available
Lite Not available
Standard Add-on, $2,000 flat fee
Advanced Base capability, included at no additional cost
Custom Base capability, included at no additional cost

See the IdentityServer pricing page for full tier details.