JWK (JSON Web Key)

A JWK (JSON Web Key) is a JSON data structure representing a cryptographic key per RFC 7517. It includes kty (key type), use, alg, kid, and key material fields such as n/e for RSA or crv/x/y for EC keys. JWKs let services distribute public keys without PEM files. Private JWKs must never be published — only public keys belong on JWKS endpoints. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail. Document expected behavior for client teams so tokens are issued, stored, and validated consistently across services.

Why It Matters

JWK is the bridge between asymmetric JWT signing and automated key discovery. Identity providers publish JWK sets so resource servers fetch the right public key by kid. Correct JWK field formatting prevents subtle verification failures across languages. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Related Terms

Related Tools

Related Articles

Frequently Asked Questions

What is the difference between JWK and PEM?

JWK is JSON-based for APIs and JWKS endpoints. PEM is a text envelope format common in files and OpenSSL. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Can JWK contain private keys?

Yes, but never expose private JWKs publicly. Publish only public keys on JWKS URIs. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

What is kid in a JWK?

A key identifier matching the kid header in JWTs signed with that key. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.