All OAuth 2.0 have a pair of Public and Private keys for verifying and signing the Access Tokens and ID Tokens. These keys are created by BoxC and can be regenerated at any point in the future. The private key must be kept secret at all times. Your client will likely never use the private key because you only need the public key for decoding and verifying the signature of the tokens.
The Key ID is a SHA1 hash of the private key. It appears in the JWT header as kid and can be viewed on the client management page. A new Key ID will be shown only when the keys are regenerated.
Invalidating Access Tokens
You have the capability to invalidate all previously created access tokens by generating a new pair of keys. This means the API will return access denied errors if you try using an access token that was generated with the old private key because the public key is now invalid. This is useful if you believe there was a security breach in your system. BoxC does not store access tokens so it is the client's responsibility to generate access tokens with the new private key.
BoxC will never ask for your encryption keys.