> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to use the JSON Web Keys (JWKs) discovered using the JSON Web Key Set (JWKS) endpoint to verify a JWT signature.

# Locate JSON Web Key Sets

Use this Discovery endpoint to configure your application or API to automatically locate the [JSON Web Key Set (JWKS)](/docs/secure/tokens/json-web-tokens/json-web-key-sets) endpoint (`jwks_uri`), which contains the JWKS used to sign all Auth0-issued <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JSON+Web+Tokens">JSON Web Tokens</Tooltip> (JWTs) signed with the RS256 <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=signing+algorithm">signing algorithm</Tooltip>. The endpoint exists at:

`https://{yourDomain}/.well-known/openid-configuration`.

When [validating a JWT](/docs/secure/tokens/json-web-tokens/validate-json-web-tokens) using a JWKS, you will need to:

1. Retrieve the JWKS from the Auth0 Discovery endpoint, and filter for potential signing keys (e.g., any keys missing a public key or with a `kid` property).
2. Grab the `kid` property from the Header of the decoded JWT.
3. Search your filtered JWKS for the key with the matching `kid` property.
4. Build a certificate using the corresponding `x5c` property in your JWKS.
5. Use the certificate to verify the JWT's signature.

For an example that uses JWKS to verify a JWT's signature, see [Navigating RS256 and JWKS](https://auth0.com/blog/navigating-rs256-and-jwks/) (uses Node.js), or check out our [Backend/API Quickstarts](/docs/quickstart/backend).

For more info about the structure of a JWT, see [JSON Web Token Structure](/docs/secure/tokens/json-web-tokens/json-web-token-structure).

It's good practice to assume that multiple signing keys could be present in your JWKS. This may seem unnecessary since the Auth0 JWKS endpoint typically contains a single signing key; however, multiple keys can be found in the JWKS when rotating signing certificates.

We recommend that you cache your signing keys to improve application performance and avoid running into [rate limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy), but you will want to make sure that if decoding a token fails, you invalidate the cache and retrieve new signing keys before trying **only one** more time.

## Learn more

* [JSON Web Key Sets](/docs/secure/tokens/json-web-tokens/json-web-key-sets)
* [JSON Web Key Set Properties](/docs/secure/tokens/json-web-tokens/json-web-key-set-properties)
* [JSON Web Token Claims](/docs/secure/tokens/json-web-tokens/json-web-token-claims)
* [JSON Web Token Structure](/docs/secure/tokens/json-web-tokens/json-web-token-structure)
* [Validate JSON Web Tokens](/docs/secure/tokens/json-web-tokens/validate-json-web-tokens)
* [Token Best Practices](/docs/secure/tokens/token-best-practices)