JSON Web Key Set (JWKS)

A JSON Web Key Set is a JSON object containing an array of JSON Web Keys (JWKs). Each JWK represents a single cryptographic key and includes fields describing the key type, its algorithm, its usage, a key identifier, and the key material itself. The set is typically published at a well-known URL by the authorization server.

When a client or resource server receives a signed JWT, it fetches the JWKS from the issuer, locates the key matching the token’s key ID header, and uses that key to verify the signature. This allows the issuer to rotate keys by adding new entries and retiring old ones without coordinating directly with every relying party.

OpenID Connect mandates that providers publish a JWKS endpoint, making it a standard part of the discovery and trust model for federated authentication.

For CIAM, the JWKS endpoint is what enables customer-facing applications and APIs to verify identity tokens independently, without calling back to the authorization server on every request.

Sources

• IETF RFC 7517, JSON Web Key (JWK): https://datatracker.ietf.org/doc/html/rfc7517