Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.

Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed.