AddTemporarySigningCredential vs AddSigningCredential in IdentityServer4

Question

According to the docs, IdentityServer uses an asymmetric key pair to sign and validate JWTs. One could either use AddTemporarySigningCredential() in the configurati

Answer 1

Instead of AddTemporarySigningCredential consider to use AddDeveloperSigningCredential

From http://docs.identityserver.io/en/release/topics/startup.html#refstartupkeymaterial:

AddDeveloperSigningCredential

Same purpose as the temporary signing credential. But this version persists the key to the file system so it stays stable between server restarts. This addresses issues when the client/api metadata caches get out of sync during development.

WARNING: AddDeveloperSigningCredential can be used only when IdentityServer host is running on a SINGLE machine, for production farm you need to use AddSigningCredential.

Answer 2

The disadvantage is, that every time you restart IdentityServer, the key material will change - or IOW - all tokens that have been signed with the previous key material will fail to validate.

"Temporary" is really only for situations where you don't have other key material available.