RFC 7517 — JSON Web Key (JWK)
Spec: datatracker.ietf.org/doc/html/rfc7517Status: Full
RFC 7517 defines the JSON representation of cryptographic keys and the JWK Set format used to publish signing keys.
Implemented
- JWK Set endpoint —
GET /.well-known/jwks.jsonreturns all active signing keys for the tenant. - Key types — RSA and EC (P-256, P-384, P-521) signing keys are published. EC keys are created via
createX509Certificate({ keyType: "EC-P-256" | "EC-P-384" | "EC-P-521" }); RSA remains the default. - Standard JWK parameters —
kty,kid,use,alg,n,e(RSA),x,y,crv(EC) are populated as appropriate. New keys derivekidfrom the RFC 7638 JWK Thumbprint. algmember — explicitly published per key (RSA →RS256; EC P-256 →ES256; EC P-384 →ES384; EC P-521 →ES512).- Key rotation — multiple keys can be published simultaneously so that old tokens remain verifiable while new tokens are signed with a new key.
- Cache headers — JWKS responses include appropriate
Cache-Controlheaders so downstream resource servers can cache public keys.