Question 1

What is a JWKS?

Accepted Answer

A JSON Web Key Set (JWKS) is a JSON document containing one or more public cryptographic keys (JWKs) used to verify JWT signatures. Identity providers publish their JWKS at a well-known URL so clients can fetch the public keys needed for verification.

Question 2

How do I find my JWKS URL?

Accepted Answer

Most identity providers expose their JWKS at a standard OpenID Connect discovery URL: {issuer}/.well-known/openid-configuration. The 'jwks_uri' field in that document contains the JWKS URL. For Auth0 it is https://{your-domain}/.well-known/jwks.json.

Question 3

What is the kid claim?

Accepted Answer

The 'kid' (key ID) claim in a JWT header identifies which key in the JWKS was used to sign the token. When verifying a JWT, you fetch the JWKS and find the key whose 'kid' matches the token's header 'kid' field.

Question 4

How does JWKS relate to JWT signature verification?

Accepted Answer

To verify a JWT signature, you need the public key the issuer used to sign it. The JWKS endpoint provides all current public keys. You match the JWT's 'kid' header claim to a key in the JWKS, then use that key to verify the signature.

Question 5

Is my JWKS URL or token sent to a server?

Accepted Answer

Decoding the JWT header and payload is done entirely in your browser. If you use the 'Fetch JWKS' feature, the JWKS URL is sent to a secure server-side proxy that fetches the public key on your behalf — your JWT token itself is never sent to any server.

JWKS Viewer & JWT Inspector

Common Use Cases

Frequently Asked Questions

Related Tools