JWKS Generator

Build a JSON Web Key Set from one or more public keys with kid, alg, and use fields. Generate fresh keys or import your own — everything runs in your browser.

Generate a new key

Creates a fresh key pair and adds the public key to the set

Algorithm

Import a public key

Paste an SPKI PEM public key or a JWK object

Keys in this set

0 keys · edit kid, alg, and use per key

No keys yet. Generate or import a public key above to start your JWKS.

JWKS output

RFC 7517 JSON Web Key Set · publish at /.well-known/jwks.json

Private by design

Keys are generated and parsed locally with the Web Crypto API. Nothing — public or private — is ever uploaded to a server.

RSA, EC & Ed25519

Generate RSA, P-256/384/521, and Ed25519 keys, or import any SPKI PEM or JWK public key into a single combined set.

Standards-compliant

Emits an RFC 7517 JWKS with RFC 7638 thumbprint kids, ready for OAuth, OpenID Connect, and JWT verification.

About JWKS Generator

A JWKS (JSON Web Key Set) is a JSON document that holds one or more public keys, defined by RFC 7517. Authorization servers and identity providers publish a JWKS — usually at /.well-known/jwks.json — so that clients and resource servers can fetch the public keys needed to verify the signatures on JWTs (ID tokens and access tokens). Each key entry carries metadata such as kid (key ID), alg (algorithm), and use (sig or enc).

This JWKS Generator lets you assemble that document from scratch. Generate brand-new RSA, EC, or Ed25519 key pairs in your browser, or import public keys you already have as SPKI PEM or JWK. The tool computes deterministic, RFC 7638 thumbprint key IDs, suggests the right algorithm for each key type, and combines everything into a single, copy-ready JWKS.

  • Generate RSA-2048/3072/4096, EC P-256/P-384/P-521, and Ed25519 keys
  • Import SPKI PUBLIC KEY PEM or JWK objects
  • Auto-computed kid from the RFC 7638 JWK thumbprint
  • Per-key alg and use editing for key rotation
  • Private key material for generated keys stays out of the JWKS and is yours to download
  • 100% client-side — no key data ever leaves your device

How to Use the JWKS Generator

  1. 1

    Add one or more keys

    Pick an algorithm and click Generate & add key to mint a fresh pair, or paste an existing SPKI PEM public key or JWK and click Import & add key.

  2. 2

    Tune kid, alg, and use

    Each key gets a thumbprint kid by default. Override it with your own naming scheme, choose the signing or encryption algorithm, and set the intended use.

  3. 3

    Save private keys (generated keys only)

    For keys you generated here, expand the private key panel to copy or download the PKCS#8 PEM and private JWK. Store them securely — they are never included in the JWKS output.

  4. 4

    Copy or download the JWKS

    Grab the combined jwks.json and serve it from your /.well-known/jwks.json endpoint or feed it to your JWT verification library.

Common Use Cases

Host a JWKS Endpoint

  • • Serve keys at /.well-known/jwks.json
  • • Let clients fetch and cache verification keys
  • • Power your custom OAuth / OIDC server

Key Rotation

  • • Publish old + new keys with distinct kids
  • • Roll signing keys without downtime
  • • Retire keys once tokens expire

JWT Verification Setup

  • • Feed JWKS to jose, jwks-rsa, or PyJWKClient
  • • Match tokens to keys via the kid header
  • • Verify RS256, ES256, and EdDSA signatures

Local Dev & Mocking

  • • Mock an identity provider's JWKS in tests
  • • Generate throwaway keys for staging
  • • Reproduce auth bugs with known keys

Service-to-Service Auth

  • • Distribute public keys to verifying services
  • • Sign internal JWTs with your private key
  • • Keep private keys off public infrastructure

Learning JOSE & PKI

  • • See how a JWKS wraps public JWKs
  • • Explore thumbprint kids (RFC 7638)
  • • Compare RSA, EC, and OKP key shapes

Frequently Asked Questions

What is a JWKS?

A JWKS (JSON Web Key Set) is a JSON object with a keys array, where each entry is a JWK (JSON Web Key). It's defined by RFC 7517 and is the standard way for an authorization server to publish the public keys used to verify JWT signatures, so clients can fetch them dynamically from a JWKS endpoint.

What is the kid and how is it generated?

The kid (key ID) lets a verifier pick the right key when a JWT header references it. By default this tool sets the kid to the RFC 7638 JWK thumbprint — a deterministic base64url SHA-256 hash of the key's canonical members — so the same key always gets the same ID. You can replace it with any naming scheme you prefer.

Are private keys included in the JWKS?

No. The JWKS output only ever contains public key components. For keys you generate here, the private key is shown separately so you can download it — and if you paste a private JWK on import, the tool strips the private fields before adding it to the set. Never publish private key material in a JWKS.

Which key types and algorithms are supported?

RSA (2048/3072/4096), EC on P-256, P-384, and P-521, and Ed25519 (OKP). Signature algorithms include RS256/384/512, PS256/384/512, ES256/384/512, ES256K, and EdDSA; encryption keys offer the RSA-OAEP family. Ed25519 generation requires a recent browser (Chrome 113+, Safari 17+, Firefox 130+).

What input formats can I import?

Paste an SPKI -----BEGIN PUBLIC KEY----- PEM block or a single JWK JSON object. Legacy PKCS#1 (RSA PUBLIC KEY) isn't natively importable by the Web Crypto API — convert it first with openssl pkey -pubin -in key.pem -pubout.

Can I add multiple keys for rotation?

Yes. Add as many keys as you like — each with its own kid. Publishing both the outgoing and incoming key during a rotation window lets verifiers accept tokens signed by either key until the old tokens expire.

Is the JWKS compatible with my JWT library?

Yes. The output is a standard RFC 7517 JWKS and works with jose (Node / browser), jwks-rsa, node-jose, PyJWT's PyJWKClient, Go's keyfunc, and most other JOSE tooling, as well as IdPs like Auth0, Okta, and Keycloak.

Is my data safe? Does this send keys to a server?

Everything happens in your browser using the Web Crypto API. No key — public or private — is uploaded, logged, or stored. For maximum safety when handling real private keys, you can even disconnect from the network; the tool keeps working once loaded.