March 9, 2026

Keys in cache, rage in comments

Article URL →HN comments →

Lazy JWT Key Rotation in .NET: Redis-Powered JWKS That Just Works

Dev puts login keys in Redis, security yells 'Use a hardware vault' and the thread explodes

TLDR: A .NET guide shows rotating login keys using Redis so tokens keep working while keys change. Commenters split: security pros demand hardware vaults and question storing keys in cache, while pragmatists like the simplicity—or say ditch tokens and use sessions—making this a textbook convenience vs. caution fight.

Developer rolls out a “lazy” way to swap sign-in keys using Redis, and the crowd went feral. The post shows a .NET server that rotates keys every 90 days, keeps old public keys for a year, and publishes them via JWKS (a public key list) so older logins keep working. It’s neat, fast, and restart-proof thanks to Redis.

Security purists pounced. “Keys in Redis?” asked one, arguing they belong in a FIPS 140-rated hardware box (an HSM) where thieves can’t snatch them. Others shrugged and said skip fancy tokens entirely: “Just store session IDs in Redis,” especially if you don’t actually have a separate identity server. That stung, because JWTs (signed web tokens) are really for when one service signs users in and others need to trust it.

Meanwhile, a code link drew a deadpan “That’s dark man,” spawning memes about “Schrödinger’s Key” living in cache. Supporters praised the practicality—automatic expiry, no cron jobs, easy scaling—while skeptics warned about compliance checklists and headline-making breaches. The vibe: clever engineering vs. security dogma, with popcorn.

If you want receipts, the code’s right here: Article 08 and Article 07. Bring your threat models—and your flame-retardant suit. The debate is very much alive tonight.

Key Points

  • The article adds proper JWT signing key rotation to a .NET authentication server that exposes OIDC discovery and JWKS endpoints.
  • Private signing keys are rotated every 90 days or less, while corresponding public keys are retained for 365 days to validate existing tokens.
  • Redis is used to cache JWKS and key records, providing automatic expiry and persistence across restarts and deployments.
  • Administrative revocation of keys (public and private) is supported to handle compromise or policy changes.
  • Code repositories on GitHub are provided for both the previous and updated implementations, with guidance to follow along or use prepared code.

Hottest takes

"The key material is in redis?" — time4tea
"Much simpler: just store session ids in Redis" — legulere
"That’s dark man" — hexagonsuns

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.