Locate JSON Web Key Sets

Use this Discovery endpoint to configure your application or API to automatically locate the JSON Web Key Set (JWKS) endpoint (jwks_uri), which contains the JWKS used to sign all Auth0-issued JSON Web Tokens (JWTs) signed with the RS256 signing algorithm. The endpoint exists at:

https://YOUR_DOMAIN/.well-known/openid-configuration.

When validating a JWT using a JWKS, you will need to:

  1. Retrieve the JWKS from the Auth0 Discovery endpoint, and filter for potential signing keys (e.g., any keys missing a public key or with a kid property).

  2. Grab the kid property from the Header of the decoded JWT.

  3. Search your filtered JWKS for the key with the matching kid property.

  4. Build a certificate using the corresponding x5c property in your JWKS.

  5. Use the certificate to verify the JWT's signature.

For an example that uses JWKS to verify a JWT's signature, see Navigating RS256 and JWKS (uses Node.js), or check out our Backend/API Quickstarts.

For more info about the structure of a JWT, see JSON Web Token Structure.

It's good practice to assume that multiple signing keys could be present in your JWKS. This may seem unnecessary since the Auth0 JWKS endpoint typically contains a single signing key; however, multiple keys can be found in the JWKS when rotating signing certificates.

We recommend that you cache your signing keys to improve application performance and avoid running into rate limits, but you will want to make sure that if decoding a token fails, you invalidate the cache and retrieve new signing keys before trying only one more time.

Learn more