Locate JSON Web Key Sets
Use this Discovery endpoint to configure your application or API to automatically locate the JSON Web Key Set (JWKS) endpoint (
jwks_uri), which contains the JWKS used to sign all Auth0-issued JSON Web Tokens (JWTs) signed with the RS256 signing algorithm. The endpoint exists at:
When validating a JWT using a JWKS, you will need to:
Retrieve the JWKS from the Auth0 Discovery endpoint, and filter for potential signing keys (e.g., any keys missing a public key or with a
kidproperty from the Header of the decoded JWT.
Search your filtered JWKS for the key with the matching
Build a certificate using the corresponding
x5cproperty in your JWKS.
Use the certificate to verify the JWT's signature.
For more info about the structure of a JWT, see JSON Web Token Structure.
It's good practice to assume that multiple signing keys could be present in your JWKS. This may seem unnecessary since the Auth0 JWKS endpoint typically contains a single signing key; however, multiple keys can be found in the JWKS when rotating signing certificates.
We recommend that you cache your signing keys to improve application performance and avoid running into rate limits, but you will want to make sure that if decoding a token fails, you invalidate the cache and retrieve new signing keys before trying only one more time.