Auth0 recommends you rotate key material regularly to meet your compliance needs and ensure security is not compromised by leaked private keys. You can use the or to rotate new keys into use. You need to create a new credential, associate it with the private_key_jwt authentication method, and remove old or unused credentials.
The current application storage limit is two credentials at one time. To repeatedly rotate new credentials, you need to delete unused credentials.
To rotate your application credentials with Auth0 Dashboard:
  1. Navigate to Auth0 Dashboard > Applications > Application and select the application you want to update.
  2. Switch to the Credentials tab.
  3. In the Available Credentials section, select Add New Key.
  4. Set a name for your new credential, the public key in PEM format, and the algorithm for the new credential.
  5. Select Add Credential.
  6. To activate your new credential, navigate to the menu for the credential and choose Enable for Private Key JWT use.
  7. Once you have updated your applications to use the new credential, deactivate your original credential:
    1. Select Disable for Private Key JWT Use.
    2. Once disabled, return to the credential menu and select Delete Credential.

Active credentials

To assure zero downtime, you can leave multiple credentials active during rotation. Applications can function normally using older keys until keys are updated. Applications can send signed assertions with any set of active credentials. Auth0 recommends you minimize the time that multiple credentials are in use. The example below uses multiple associated credentials: 
curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
          "client_authentication_methods": {
             "private_key_jwt": {
                "credentials": [{ "id": $credential1.id }, { "id": $credential2.id }]
             }
          }
 }'

Learn more