OctopusDeploy · stevencl840 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md
@@ -1,25 +1,29 @@
 ---
 layout: src/layouts/Default.astro
 pubDate: 2023-11-01
-modDate: 2023-11-01
+modDate: 2026-04-15
 title: Signing Keys
 description: Signing keys used for OpenID Connect authentication
 navOrder: 40
 hideInThisSection: true
 ---
 
-Octopus uses a Signing Key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus.
+Octopus uses a signing key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus.
 
-The signing keys by default have a 90-day expiry and will be rotated when they expire.
+Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a third party.
 
-:::div{.warning}
-Since OpenID Connect authentication is still an EAP feature, there is no User Interface to manage or view the Signing Keys.
+## Internally hosted
 
-The following API endpoints can be used to manage the Signing Keys:
+When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. Ensure your Octopus Deploy instance is accessible at this address.
 
-List all keys: `GET` `/api/signingkeys/v1`
+## Externally hosted
 
-Rotate the active key: `POST` `/api/signingkeys/rotate/v1`
+When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the **OIDC Issuer URL**. When Octopus Deploy creates a token, the issuer will point to the **OIDC Issuer URL**. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access.
 
-Revoke a signing key: `POST` `/api/signingkeys/{id}/revoke/v1`
-:::
+### Rotating externally hosted keys
+
+Externally hosted public keys must be manually rotated. Upon clicking **Rotate**, a new set of keys will be downloaded as a zip file. You will then need to upload the contents of this file to your chosen hosting provider. Octopus Deploy will poll the provided **OIDC Issuer URL** for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key.
+
+:::div{.info}
+The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL.
+:::