Key Rotation Procedure

How to rotate signing keys, API keys, and other cryptographic material

Public

Key Rotation Procedure

Implements: Cryptography Policy Section 4 (Key Management) Owner: Cryptography Specialist Last Updated: 21 May 2026 Next Review: 21 November 2026

Key Inventory

Key TypeLocationRotation ScheduleImpact of Rotation
Issuer signing key (RedJubjub)Cloudflare Workers Secret (provii-issuer)Annual or on compromiseAll existing credentials invalidated, users must re-issue
Verifier HMAC keysCloudflare Workers Secret (provii-verifier)90 days (recommended)Existing HMAC signatures become invalid; verifiers must update
API keys (customer)Cloudflare KV (provii-management)Customer-managed; 90-day recommendationOld key stops working; customer updates integration
JWKS public keysCloudflare KV (public endpoint)Updated when signing key rotatesVerifiers fetch new keys from JWKS endpoint
Cloudflare API tokenCloudflare DashboardAnnualCI/CD must be updated with new token
GitHub Actions secretsGitHub Settings > SecretsWhen Cloudflare token rotatesCI workflows use new token
DOCS_SESSION_HMAC_KEY (docs interactive sandbox session cookie HMAC)Cloudflare Secrets Store (internal binding; ID maintained internally)Planned 90 days. The rotation runbook and the kid-header flow are planned work. Current deployment is single-kid per the docs session layer at demo-web-provii-agegate/src/docs/session.ts.Until the dual-kid flow lands, rotation invalidates all active docs-session bearers in flight. The planned kid prefix on the bearer and dual-key acceptance will let rotation proceed without invalidating in-flight sessions. Rotation runbook entry is tracked at operations/key-rotation-plan.md.

Issuer Signing Key Rotation

This is the most impactful rotation. All existing user credentials become invalid.

Pre-Rotation

  1. Communicate: Notify all known issuers and verifiers at least 30 days in advance
  2. Plan downtime window: Coordinate with customers for minimal impact

Rotation

  1. Generate new RedJubjub keypair
  2. Update the provii-issuer secret: 
    wrangler secret put SIGNING_KEY --env production
  3. Update the JWKS endpoint with the new public key (add new key, keep old key for a transition period)
  4. Deploy provii-issuer

Post-Rotation

  1. Monitor for errors (users with old credentials will fail verification)
  2. After transition period (e.g., 7 days), remove old public key from JWKS
  3. Document rotation in change log

Customer API Key Rotation

  1. Customer requests new key via Admin Portal or contacts support
  2. Generate new API key in provii-management
  3. Provide new key to customer via secure channel
  4. Customer updates their integration
  5. Customer confirms new key works
  6. Revoke old key

Cloudflare API Token Rotation

  1. Generate new token in Cloudflare Dashboard with same permissions
  2. Update GitHub Actions secrets in all repositories that use the token: 
    gh secret set CLOUDFLARE_API_TOKEN --body "new-token-value" --repo provii/REPO_NAME
  3. Verify CI/CD works by triggering a test deployment
  4. Revoke old token in Cloudflare Dashboard

Emergency Key Rotation (Compromise)

If a key is suspected compromised:

  1. Rotate immediately. Do not wait for a maintenance window
  2. Revoke the old key
  3. Assess impact: What could an attacker do with the compromised key?
  4. Notify affected parties per incident response playbook
  5. Review logs for any unauthorized use of the compromised key
  6. Document as a P1/P2 incident