OctopusDeploy · lourens-octopus · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/public/docs/img/api-and-integration/github/github-connections-authorize-app.png b/public/docs/img/api-and-integration/github/github-connections-authorize-app.png
diff --git a/public/docs/img/api-and-integration/github/github-connections-authorize-app.png.json b/public/docs/img/api-and-integration/github/github-connections-authorize-app.png.json
@@ -0,0 +1,5 @@
+{
+  "width": 1907,
+  "height": 1039,
+  "updated": "2026-04-21T01:05:53.678Z"
+}
diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md
@@ -1,25 +1,29 @@
 ---
 layout: src/layouts/Default.astro
 pubDate: 2023-11-01
-modDate: 2023-11-01
+modDate: 2026-04-15
 title: Signing Keys
 description: Signing keys used for OpenID Connect authentication
 navOrder: 40
 hideInThisSection: true
 ---
 
-Octopus uses a Signing Key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus.
+Octopus uses a signing key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus.
 
-The signing keys by default have a 90-day expiry and will be rotated when they expire.
+Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a third party.
 
-:::div{.warning}
-Since OpenID Connect authentication is still an EAP feature, there is no User Interface to manage or view the Signing Keys.
+## Internally hosted
 
-The following API endpoints can be used to manage the Signing Keys:
+When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. Ensure your Octopus Deploy instance is accessible at this address.
 
-List all keys: `GET` `/api/signingkeys/v1`
+## Externally hosted
 
-Rotate the active key: `POST` `/api/signingkeys/rotate/v1`
+When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the **OIDC Issuer URL**. When Octopus Deploy creates a token, the issuer will point to the **OIDC Issuer URL**. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access.
 
-Revoke a signing key: `POST` `/api/signingkeys/{id}/revoke/v1`
-:::
+### Rotating externally hosted keys
+
+Externally hosted public keys must be manually rotated. Upon clicking **Rotate**, a new set of keys will be downloaded as a zip file. You will then need to upload the contents of this file to your chosen hosting provider. Octopus Deploy will poll the provided **OIDC Issuer URL** for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key.
+
+:::div{.info}
+The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL.
+:::
diff --git a/src/pages/docs/projects/version-control/github/index.md b/src/pages/docs/projects/version-control/github/index.md
@@ -10,16 +10,32 @@ navOrder: 30
 
 The Octopus Deploy GitHub App provides seamless integration between Octopus Deploy and GitHub.
 
-:::div{.hint}
-The Octopus Deploy GitHub App is only supported on Octopus Cloud instances.
-:::
-
-To get started, go to the GitHub Connections page in the Deploy -> Manage section of your Octopus cloud instance, and follow the prompts.
+To get started, go to the GitHub Connections page in the Deploy -> Manage section of your Octopus cloud instance.
 
 ## GitHub App Connections
 
 GitHub Connections is the recommended way to connect Octopus to your GitHub accounts (organizations or users). It provides seamless and secure connection via the Octopus GitHub App, without using personal access tokens.
 
+### Installing and authorizing the Octopus GitHub App
+
+You install the Octopus GitHub App on an account (organization or user) to give it access to the repositories or other content within that account. Authorizing gives the Octopus GitHub App permission to act on your behalf in any account that has the app installed.
+
+:::figure
+![Screenshot of GitHub Connections screen showing the Authorize Octopus Deploy GitHub App button](/docs/img/api-and-integration/github/github-connections-authorize-app.png)
+:::
+
+Selecting authorize will take you to GitHub to complete the installation and authorization process.
+
+If you are authorizing the app for a self-hosted instance, you will be required to copy an access code over to your octopus instance.
+
+#### More information on installing and authorizing the Octopus GitHub App
+
+Installing and authorizing are both GitHub concepts. If you want to find out more about what installing and authorizing GitHub App and how to manage these installation and authorizations, refer to the GitHub documentation:
+
+- [GitHub Apps documentation](https://docs.github.com/en/apps/using-github-apps/about-using-github-apps)
+- [Installing GitHub apps documentation](https://docs.github.com/en/apps/using-github-apps/installing-a-github-app-from-a-third-party)
+- [Authorizing GitHub apps documentation](https://docs.github.com/en/apps/using-github-apps/authorizing-github-apps)
+
 ### Connecting a GitHub account
 
 Before you can use an GitHub account in Octopus Deploy, you need to connect the account to the Space.
@@ -90,16 +106,7 @@ In order to use Octopus Deploy with GitHub allow lists, the IP address of your O
 
 Due to a limitation in the way that GitHub supports inheritance of IP addresses when performing actions on behalf of a user, the IP address for the GitHub App needs to be configured manually and cannot be inherited from the app settings. For more information please refer to [GitHub's Documentation](https://docs.github.com/en/enterprise-cloud@latest/apps/maintaining-github-apps/managing-allowed-ip-addresses-for-a-github-app#about-ip-address-allow-lists-for-github-apps)
 
-## More information on installing and authorizing the Octopus GitHub App
-
-You install the Octopus GitHub App on an account (organization or user) to give the repositories or other content within that account. Authorizing gives the Octopus GitHub App permission to act on your behalf in any account that has the app installed.
-
-Installing and authorizing are both GitHub concepts. If you want to find out more about what installing and authorizing GitHub App and how to manage these installation and authorizations, refer to the GitHub documentation:
-
-- [GitHub Apps documentation](https://docs.github.com/en/apps/using-github-apps/about-using-github-apps)
-- [Installing GitHub apps documentation](https://docs.github.com/en/apps/using-github-apps/installing-a-github-app-from-a-third-party)
-- [Authorizing GitHub apps documentation](https://docs.github.com/en/apps/using-github-apps/authorizing-github-apps)
-
 ## Older versions
 
 - Prior to version 2024.3.12703 when the new UI navigation was introduced, the GitHub Connections page is located in the Library section of Octopus.
+- The Octopus GitHub App for self-hosted instances is only available from Octopus **2026.2** onwards.