Locate JSON Web Key Sets
Auth0 exposes a discovery endpoint, which exists at
https://YOUR_DOMAIN/.well-known/openid-configuration. You can use this endpoint to configure your application or API to automatically locate the JSON Web Key Set (JWKS) endpoint (
jwks_uri), which contains the JWKS used to sign all Auth0-issued JSON Web Tokens (JWTs) signed with the RS256 signing algorithm.
When validating a JWT using a JWKS, you will need to:
- Retrieve the JWKS from the Auth0 discovery endpoint, and filter for potential signing keys (e.g., any keys missing a public key or with a
- Grab the
kidproperty from the Header of the decoded JWT.
- Search your filtered JWKS for the key with the matching
- Build a certificate using the corresponding
x5cproperty in your JWKS.
- Use the certificate to verify the JWT's signature.
For more info about the structure of a JWT, see JSON Web Token Structure.
You can cache your signing keys to improve application performance and avoid running into rate limits, but you will want to make sure that if decoding a token fails, you invalidate the cache and retrieve new signing keys before trying only one more time.