# `Attesto.Keystore.Static`
[🔗](https://github.com/XukuLLC/attesto/blob/v0.13.0/lib/attesto/keystore/static.ex#L1)

A simple `Attesto.Keystore` backed by application configuration.

Reads its signing material from the `:attesto` application environment:

    config :attesto, Attesto.Keystore.Static,
      signing_pem: System.fetch_env!("OAUTH_SIGNING_PRIVATE_KEY_PEM"),
      # optional; defaults to [signing_pem] when omitted
      verification_pems: [current_pem, previous_pem],
      # optional; RSA defaults to RS256, EC/OKP infer from curve
      signing_alg: "PS256",
      key_algs: %{current_kid => "PS256", previous_kid => "RS256"}

Only `signing_pem` is required. When `verification_pems` is omitted, the
verification set is exactly the signing key, which is the correct
single-key default - and because Attesto derives the public half from
the private key, the signing and verifying keys can never drift.

During a rotation, set `verification_pems` to both the new and old keys
while `signing_pem` points at the new one; once no live tokens were
minted under the old key, drop it from the list.

Hosts with their own resolution (a secrets manager, a fail-fast boot
check, an HSM) implement `Attesto.Keystore` directly instead of using
this module.

---

*Consult [api-reference.md](api-reference.md) for complete listing*