User profile claims and scope
JSON Web Key Set
At the most basic level, the JSON Web Key Set (JWKS) is a set of keys containing the public keys that should be used to verify any OIDCJSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm.
When creating applications and APIs in Auth0, two algorithms are supported for signing JWTs: RS256 and HS256. RS256 generates an asymmetric signature, which means a private key must be used to sign the JWT and a different public key must be used to verify the signature.
Auth0 uses the JSON Web Key (JWK) specification to represent the cryptographic keys used for signing RS256 tokens. This specification defines two high-level data structures: JSON Web Key (JWK) and JSON Web Key Set (JWKS). Here are the definitions directly from the specification:
|JSON Web Key (JWK)||A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.|
|JSON Web Key Set (JWKS)||A JSON object that represents a set of JWKs. The JSON object MUST have a
Auth0 exposes a JWKS endpoint for each tenant, which is found at
https://YOUR_DOMAIN/.well-known/jwks.json. This endpoint will contain the JWK used to sign all Auth0-issued JWTs for this tenant.
- JSON Web Key Set Properties
- Verify a JSON Web Token's Signature using the JSON Web Key Set Endpoint
- Validate a JSON Web Token