Get the JWKs URL
A JSON Web Key (JWK) is a JSON data structure that represents a cryptographic key.
A JWK Set (JWKS) is a JSON data structure that represents a set of JWKs.
If you are using your Open Banking certificate, you should receive your JWKs URL from the Open Banking Directory.
If you are using your eIDAS certificate, you will need to publish your JWKS under a publicly available URL.
If you are testing and using services such as pastebin to temporarily host the JWKS, make sure that you provide the URL of the raw JSON and not the HTML web page displaying it.
The JWKs URL can include several JWKs (a JWKS), but it must contain at least the public signing key which will be used in the requests.
Supported key types
Both RSA and Elliptic Curve (EC) key types are supported. The JWKS structure can include both key types in the same key set.
Depending on the key type, you must include the following fields:
| JWK field mandatory for RSA | Description |
|---|---|
kid | The key ID that is used to match a specific key. |
kty | The cryptographic algorithm family used with the key. For RSA keys, the value is RSA. |
e | Contains the exponent value for the RSA public key, represented as a Base64urlUInt-encoded value. |
n | Contains the modulus value for the RSA public key, represented as a Base64urlUInt-encoded value. This can be generated using the following command: openssl x509 -noout -modulus -in signing.pem | cut -c 9- | xxd -r -p | base64 | tr '/+' '_-' | tr -d '='. |
use | The intended use of the public key. Must be set to sig for signing keys. |
x5c | An array containing the base64-encoded .der signing certificate. It can be obtained directly from your signing.pem certificate with the following command: sed -E '/(^-----[A-Z ]+-----$)/d' signing.pem | tr -d '\n'. |
To view an example RSA key, see our production JWKS.
Validate your JWK
You can use the following form to check if your JWK is valid. To do that, copy and paste the full contents of your JWK below and click Test.