SUNET · leifj · Jun 11, 2026 · Jun 12, 2026 · leifj · Jun 12, 2026
diff --git a/developer_tools/scripts/jwt_issuer/README.md b/developer_tools/scripts/jwt_issuer/README.md
@@ -33,6 +33,10 @@ make release-jwt-issuer BUMP=patch   # or minor, major
   -jwt-out my-token.jwt \
   -jwk-out my-jwks.json \
   -priv-out my-private.jwk
+
+# Reuse an existing private key (avoids generating a new key each run)
+./bin/jwt_issuer \
+  -priv-in my-private.jwk
 ```
 
 ## Flags
@@ -49,6 +53,7 @@ make release-jwt-issuer BUMP=patch   # or minor, major
 | `-kid`      | `test-key-1`                       | Key ID in JWKS                       |
 | `-jwt-out`  | `token.jwt`                        | Output file for the signed JWT       |
 | `-jwk-out`  | `jwks.json`                        | Output file for the JWKS             |
+| `-priv-in`  | (none)                             | Input file for an existing private JWK (reuse key) |
 | `-priv-out` | (none)                             | Output file for the private JWK      |
 
 ## Example apigw config

diff --git a/developer_tools/scripts/jwt_issuer/main.go b/developer_tools/scripts/jwt_issuer/main.go
@@ -29,6 +29,7 @@ func main() {
 	jwtFile := flag.String("jwt-out", "token.jwt", "output file for the signed JWT")
 	jwkFile := flag.String("jwk-out", "jwks.json", "output file for the JWKS (public keys)")
 	privFile := flag.String("priv-out", "", "output file for the private JWK (optional)")
+	privInFile := flag.String("priv-in", "", "input file for an existing private JWK (optional, generates new key if not set)")
 
 	flag.Parse()
 
@@ -41,17 +42,31 @@ func main() {
 		*email = *subject
 	}
 
-	// Generate ECDSA P-256 key pair
-	rawKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		fatal("generate key: %v", err)
-	}
+	var privJWK jwk.Key
 
-	// Build private JWK
-	privJWK, err := jwk.Import(rawKey)
-	if err != nil {
-		fatal("import private key: %v", err)
+	if *privInFile != "" {
+		// Load existing private key from file
+		privJSON, err := os.ReadFile(*privInFile)
+		if err != nil {
+			fatal("read private key file: %v", err)
+		}
+		privJWK, err = jwk.ParseKey(privJSON)
+		if err != nil {
+			fatal("parse private key: %v", err)
+		}
+		fmt.Printf("Private key loaded from %s\n", *privInFile)
+	} else {
+		// Generate ECDSA P-256 key pair
+		rawKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			fatal("generate key: %v", err)
+		}
+		privJWK, err = jwk.Import(rawKey)
+		if err != nil {
+			fatal("import private key: %v", err)
+		}
 	}
+
 	if err := privJWK.Set(jwk.KeyIDKey, *kid); err != nil {
 		fatal("set kid: %v", err)
 	}