Skip to content

What is JWK

Key idea:

JWK (JSON Web Key, RFC 7517) — a JSON representation of a cryptographic key (RSA, EC, AES). Used in OAuth 2.0 and OpenID Connect to publish public keys that signed JWTs. JWKS (JSON Web Key Set) — a URL like https://provider.com/.well-known/jwks.json containing the array of current keys. Client fetches JWKS, finds the key by kid (key ID) → verifies the JWT signature.

Below: details, example, related terms, FAQ.

Check your site's security →

Details

  • Structure: kty (Key Type), use (sig/enc), kid (Key ID), n/e (RSA) or x/y/crv (EC)
  • JWKS endpoint: /.well-known/jwks.json
  • Rotation: provider adds a new key with a new kid, keeps the old 30 days for overlap
  • Client caches JWKS to reduce provider load
  • Security: NEVER publish the private key (d parameter in JWK)

Example

{
  "keys": [
    { "kty": "RSA", "kid": "abc123", "use": "sig", "alg": "RS256",
      "n": "0vx7agoe...", "e": "AQAB" }
  ]
}

Related Terms

Understanding JWK Structure

A JSON Web Key (JWK) is a compact and self-contained way to represent a cryptographic key using JavaScript Object Notation (JSON). According to RFC 7517, a JWK typically includes several parameters that define the key type, algorithm, and usage. Here are the most common parameters:

  • kty: The key type, such as RSA or EC.
  • use: The intended use of the key, commonly sig for signature or enc for encryption.
  • alg: The algorithm intended for use with the key, such as RS256 for RSA Signature with SHA-256.
  • kid: A unique identifier for the key, used to match the key with a token.
  • n: The modulus for RSA keys, represented in base64url encoding.
  • e: The exponent for RSA keys, also in base64url encoding.
  • x and y: Coordinates for EC keys, represented in base64url encoding.

Here’s an example of a JWK for an RSA public key:

{"kty":"RSA","use":"sig","alg":"RS256","kid":"12345","n":"...base64url_encoded_modulus...","e":"...base64url_encoded_exponent..."}

Understanding the structure of JWKs is crucial for implementing secure authentication mechanisms, as it allows developers to correctly interpret and utilize the keys provided by identity providers.

Practical Examples of JWK Usage

Using JWKs is essential for modern web applications that rely on token-based authentication. Below are practical examples of how to generate, configure, and use JWKs with various libraries and tools:

Generating JWKs with OpenSSL

To generate an RSA key pair and convert it to JWK format, you can use the following OpenSSL commands:

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
openssl rsa -in public.pem -outform JWK -out public.jwk

Using JWKs in Node.js

When working with Node.js, you can use the jose library to handle JWKs:

const { JWK, JWT } = require('jose');
const jwk = JWK.asKey({
  kty: 'RSA',
  use: 'sig',
  alg: 'RS256',
  kid: '12345',
  n: '...base64url_encoded_modulus...',
  e: '...base64url_encoded_exponent...'
});

const token = JWT.sign({ foo: 'bar' }, jwk);
console.log(token);

These commands and code snippets illustrate the practical application of JWKs in securing API communications and enabling user authentication. By understanding how to generate and use JWKs properly, developers can enhance the security of their applications.

Common Misconceptions About JWKs

Despite their growing importance in web security, JWKs are often misunderstood. Here are some common misconceptions:

  • JWKs are only for JWTs: While JWKs are primarily associated with JSON Web Tokens (JWTs), they can also be used for other cryptographic operations, such as encrypting data.
  • JWKs contain private keys: JWKs typically represent public keys. The private keys are usually not shared and should be kept secure. Public keys can be exposed in a JWKS endpoint.
  • JWKs are static: JWKs can be dynamic, as they may change over time. Identity providers often rotate keys, and applications must handle these updates correctly to maintain security.
  • JWKs are only for OAuth 2.0: Although JWKs are widely used in OAuth 2.0 and OpenID Connect, they can also be utilized in other contexts, such as API security and data encryption.

By addressing these misconceptions, developers can better grasp the role of JWKs in securing their applications and understand how to implement them correctly.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

JWK vs x509 PEM cert?

JWK — JSON, easy to parse in JS/Python. PEM — traditional base64. JWT with JWKS = standard OAuth path.

How to rotate keys?

Generate new key → publish in JWKS with a new kid → wait 30 days for clients to refresh cache → remove old.

How to verify JWT with JWKS?

Library like jose (Node), python-jose, PHP firebase/php-jwt with getKeyById callback.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.