JWK — JSON Web Key

Enterno.io Editorial Team

What is JWK

By Anatoly Oshmanovsky · Updated Apr 17, 2026

Key idea:

JWK (JSON Web Key, RFC 7517) — a JSON representation of a cryptographic key (RSA, EC, AES). Used in OAuth 2.0 and OpenID Connect to publish public keys that signed JWTs. JWKS (JSON Web Key Set) — a URL like https://provider.com/.well-known/jwks.json containing the array of current keys. Client fetches JWKS, finds the key by kid (key ID) → verifies the JWT signature.

Below: details, example, related terms, FAQ.

Try it now — free →

Details

Structure: kty (Key Type), use (sig/enc), kid (Key ID), n/e (RSA) or x/y/crv (EC)
JWKS endpoint: /.well-known/jwks.json
Rotation: provider adds a new key with a new kid, keeps the old 30 days for overlap
Client caches JWKS to reduce provider load
Security: NEVER publish the private key (d parameter in JWK)

Example

{
  "keys": [
    { "kty": "RSA", "kid": "abc123", "use": "sig", "alg": "RS256",
      "n": "0vx7agoe...", "e": "AQAB" }
  ]
}

Related Terms

HeadersCSP, HSTS, X-Frame-Options, etc.

SSL/TLSEncryption and certificate

ConfigurationServer settings and leaks

Grade A-FOverall security score

Why teams trust us

OWASP

guidelines

15+

security headers

<2s

result

A–F

security grade

How it works

Enter site URL

Security headers analyzed

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

❌

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.

❌

Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.

❌

Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.

❌

X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.

❌

Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

✓

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.

✓

Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.

✓

Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.

✓

Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.

✓

Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

JWK vs x509 PEM cert?

JWK — JSON, easy to parse in JS/Python. PEM — traditional base64. JWT with JWKS = standard OAuth path.

How to rotate keys?

Generate new key → publish in JWKS with a new kid → wait 30 days for clients to refresh cache → remove old.

How to verify JWT with JWKS?

Library like jose (Node), python-jose, PHP firebase/php-jwt with getKeyById callback.