Securely managing public keys for IoT services that you use is an important part of the Token Access Control API. It allows for key rotation to cover situations when you change the private key that signs your tokens, or your public key has been compromised. The key rotation process relies on the fact that an IoT property can use either a primary or secondary key to validate requests. If a primary key fails to validate the signature of a JWT, the IoT property tries a secondary key to validate the same token.

To rotate a primary public key, you can create a version of the key collection that your property uses and add a secondary key. This allows for a transition period when edge servers validate JWTs signed with the old and new private keys. After you've decided to entirely retire the primary public key, you can create and activate another key collection version where the secondary public key becomes the primary one.


You don't need to version your IoT property configuration to update the public keys it uses to validate JWTs. The JWT behavior in your property always points to the keys stored in the active version of the previously indicated key collection.