JWK
What is JWK?
JWKJSON Web Key, defined in RFC 7517, is a JSON object that represents a public or private cryptographic key for use in JOSE and OAuth-family protocols.
A JWK (RFC 7517) represents a single cryptographic key as a JSON object with parameters that depend on the key type (kty): RSA keys carry n, e, and optionally d/p/q; EC keys carry crv, x, y, and optionally d; OKP keys (RFC 8037) carry crv and x for Ed25519/X25519; oct keys carry a symmetric k. Metadata fields include kid (key identifier), alg, use (sig or enc) and key_ops. A JWK Set (jwks) groups several keys, typically exposed at /.well-known/jwks.json so that relying parties can validate OAuth 2.0 access tokens or OpenID Connect ID tokens. JWK is the canonical format consumed by IdPs (Auth0, Okta, Keycloak, Cognito) and by libraries such as jose, node-jose and python-jwt.
● Examples
- 01
An OpenID Connect provider publishes its signing keys as a JWK Set at https://issuer.example.com/.well-known/jwks.json.
- 02
A WebAuthn relying party stores user public keys as JWKs with kty:EC and crv:P-256.
● Frequently asked questions
What is JWK?
JSON Web Key, defined in RFC 7517, is a JSON object that represents a public or private cryptographic key for use in JOSE and OAuth-family protocols. It belongs to the Cryptography category of cybersecurity.
What does JWK mean?
JSON Web Key, defined in RFC 7517, is a JSON object that represents a public or private cryptographic key for use in JOSE and OAuth-family protocols.
How does JWK work?
A JWK (RFC 7517) represents a single cryptographic key as a JSON object with parameters that depend on the key type (kty): RSA keys carry n, e, and optionally d/p/q; EC keys carry crv, x, y, and optionally d; OKP keys (RFC 8037) carry crv and x for Ed25519/X25519; oct keys carry a symmetric k. Metadata fields include kid (key identifier), alg, use (sig or enc) and key_ops. A JWK Set (jwks) groups several keys, typically exposed at /.well-known/jwks.json so that relying parties can validate OAuth 2.0 access tokens or OpenID Connect ID tokens. JWK is the canonical format consumed by IdPs (Auth0, Okta, Keycloak, Cognito) and by libraries such as jose, node-jose and python-jwt.
How do you defend against JWK?
Defences for JWK typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for JWK?
Common alternative names include: JSON Web Key, jwks.
● Related terms
- cryptography№ 565
JOSE
JavaScript Object Signing and Encryption: an IETF family of standards (RFC 7515-7520 and 8037) for representing signed and encrypted data using JSON.
- cryptography№ 573
JWS
JSON Web Signature (RFC 7515) is a JOSE format that protects the integrity and origin of arbitrary content using a digital signature or MAC over a Base64URL-encoded header and payload.
- cryptography№ 571
JWE
JSON Web Encryption (RFC 7516) is a JOSE format that confidentially encapsulates a payload using authenticated encryption and either a key-wrapping or key-agreement scheme.
- identity-access№ 574
JWT (JSON Web Token)
Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
- identity-access№ 760
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that lets clients verify a user's identity and obtain basic profile information via signed ID tokens.