JSON Web Key Sets

Learn more

The JSON Web Key Set (JWKS) is a set of keys containing the public keys used to verify any issued by the and signed using the RS256 signing algorithm. When creating applications and APIs in Auth0, two algorithms are supported for signing : RS256 and HS256. RS256 generates an asymmetric signature, which means a private key must be used to sign the JWT and a different public key must be used to verify the signature. Auth0 uses the JSON Web Key (JWK) specification to represent the cryptographic keys used for signing RS256 tokens. This specification defines two high-level data structures: JSON Web Key (JWK) and JSON Web Key Set (JWKS). Here are the definitions from the specification:

Item	Description
JSON Web Key (JWK)	A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
JSON Web Key Set (JWKS)	A JSON object that represents a set of JWKs. The JSON object MUST have a `keys` member, which is an array of JWKs.

Auth0 exposes a JWKS endpoint for each tenant, which is found at https://{yourDomain}/.well-known/jwks.json. This endpoint will contain the JWK used to verify all Auth0-issued JWTs for this tenant.

Currently, Auth0 signs with only one JWK at a time; however, it is important to assume this endpoint could contain multiple JWKs. As an example, multiple keys can be found in the JWKS when rotating application signing keys.

Learn more

Validate JSON Web Tokens

JSON Web Key Set Properties

⌘I

Protect Your Application

Call APIs On User's Behalf

Protect Your Tenant

Compliance

Learn more

Protect Your Application

Call APIs On User's Behalf

Protect Your Tenant

Compliance

Documentation Index

​Learn more

Learn more