DevTulz Online

JWKS Generator

PEM Public Key

Generated JWKS

What is JWKS?

JWKS (JSON Web Key Set) is a JSON structure that contains a set of public keys used to verify JSON Web Tokens (JWTs). When a service issues JWTs signed with an RSA or ECDSA key, it publishes its public keys as a JWKS document at a well-known URL (like /.well-known/jwks.json). Clients and API gateways fetch this document to verify token signatures without needing the private key. This tool converts a PEM-encoded public key into the JWKS format, which is required when setting up JWT verification with API gateways like AWS API Gateway, Kong, Auth0, Keycloak, or your own custom verification middleware.

How to Use the JWKS Generator Tool

  1. Paste your PEM-encoded RSA or EC public key (starting with -----BEGIN PUBLIC KEY-----) into the input field.

  2. The JWKS representation is generated automatically.

  3. Optionally set a Key ID (kid) to identify this key within the set.

  4. Copy the JWKS JSON to use in your authentication server's /.well-known/jwks.json endpoint.

This JWKS generator converts PEM public keys to JWKS format entirely in your browser — your keys are never sent to any server. Supports RSA and ECDSA public keys. Essential for configuring JWT verification in API gateways and authentication libraries.

Frequently Asked Questions

What is the Key ID (kid) field? The kid (Key ID) is an optional identifier for the key within the JWKS set. When signing a JWT, the issuer includes the kid in the JWT header so verifiers know which key to use for verification. This is important when rotating keys — you can have multiple keys in the JWKS set simultaneously during a rollover period.

What is the difference between JWKS and a PEM public key? A PEM key is a DER-encoded key wrapped in base64 with header/footer lines. JWKS is a JSON structure that encodes the same key parameters (modulus, exponent for RSA; x/y coordinates for EC) in a standardised format that HTTP APIs can consume natively as JSON.

Do I need to share my private key to generate a JWKS? No. JWKS is generated from the public key only. Your private key should never leave the signing service. This tool only accepts public keys.

Keywords: JWKS generator online, PEM to JWKS, JSON Web Key Set, JWT public key, OAuth JWKS, OpenID Connect keys, convert PEM to JWK, free JWKS tool