TFT

Extract Public Keys & Generate JWK for JWT

Extract public keys from certificates or private keys and generate JWK (JSON Web Key) sets for JWT verification. Format keys for use in popular authentication servers and OAuth providers.

Token & Configuration
JWK Output

⚠️ Important Notes:

  • This tool generates JWK templates, not actual keys
  • Replace placeholder values with real key material
  • Never expose private keys in JWK format publicly
  • JWKS endpoints should be served over HTTPS
JWK Format Reference

RSA Keys

{
  "kty": "RSA",
  "n": "modulus",
  "e": "exponent"
}

EC Keys

{
  "kty": "EC",
  "crv": "P-256",
  "x": "x-coordinate",
  "y": "y-coordinate"
}

Symmetric Keys

{
  "kty": "oct",
  "k": "base64url-key"
}

Extracting Public Keys and Generating JWKs

The JWK generator creates JSON Web Key structures from JWT headers. When a token uses asymmetric algorithms (RS256, ES256), the header contains a kid (key ID) that references the public key needed for verification.

The tool parses the JWT header to extract the algorithm (alg) and key ID (kid). It then generates a JWK template with the appropriate structure for RSA or EC keys.

JWK structure by key type:

RSA (RS256/RS384/RS512):

{ kty: "RSA", use: "sig", alg: "RS256", kid: "...", n: "MODULUS", e: "AQAB" }

EC (ES256/ES384):

{ kty: "EC", use: "sig", alg: "ES256", crv: "P-256", kid: "...", x: "...", y: "..." }

For complete verification, you need the actual key material (the n modulus for RSA, or x/y coordinates for EC). The generator creates the structure; you populate it with keys from your JWKS endpoint.

Real-World Use Cases

Setting up JWT verification

Your backend needs to verify tokens from Auth0. You extract the kid from incoming tokens and generate matching JWKs to configure your verification library.

Creating a JWKS endpoint

You're building an auth server that issues JWTs. The generator helps you structure the public keys for your /.well-known/jwks.json endpoint.

Debugging signature verification failures

Token verification fails with "key not found". You generate a JWK from the token header to confirm the kid matches what your JWKS endpoint returns.

Migrating between key providers

Switching from Auth0 to AWS Cognito? Generate JWKs for both providers' tokens to compare key structures and ensure your verification code handles both formats.

Documenting key requirements

Your API docs need to explain what key types you support. Generate example JWKs for RSA and EC keys to show developers the expected format.

Testing key rotation scenarios

Simulate key rotation by generating JWKs with different kid values. Test that your verification logic correctly selects the matching key.

What to Know Before Using

This generates templates, not actual keys.The tool creates the JWK structure with placeholder values. You must replace MODULUS_PLACEHOLDER with the actual RSA modulus from your key pair.

Symmetric keys (HS256) don't use JWKs.If your JWT uses HS256, there's no public/private key pair. Both parties share a secret. JWKs only apply to asymmetric algorithms (RS256, ES256, etc.).

Key material must come from a trusted source.Never extract keys from untrusted tokens. Always fetch JWKs from a verified JWKS endpoint (HTTPS with certificate validation).

JWKS contains multiple keys.Production JWKS endpoints return multiple keys for rotation. The generator can create JWKS structures with primary and backup keys.

Security critical: Never share private keys. JWKs for public verification only contain public key material. Private keys (used for signing) must remain secret.

Common Questions

What's the difference between JWK and JWKS?

A JWK (JSON Web Key) is a single key. A JWKS (JSON Web Key Set) is a collection of JWKs in a { keys: [...] } structure. JWKS endpoints return sets to support key rotation.

Where do I get the actual key values?

For third-party providers (Auth0, Firebase), fetch from their JWKS endpoint (e.g., https://auth0.com/.well-known/jwks.json). For your own keys, extract from your key management system.

What does the "use" field mean?

use: "sig" means the key is for signature verification. use: "enc" would indicate encryption keys. Most JWT implementations use signature keys.

How often should keys be rotated?

Industry practice: every 30-90 days for high-security systems. Rotation requires publishing new JWKs while keeping old keys available to verify existing tokens until they expire.

Can I use this for HS256 tokens?

HS256 uses symmetric keys (shared secrets), not key pairs. There's no JWK structure for HS256—just configure your verification library with the shared secret string.

What's the "kid" used for?

The key ID tells verifiers which key in the JWKS to use. Without it, verifiers would need to try every key. Include kid in headers when you have multiple active keys.

Other Free Tools

JWT Decoder & Validator

Decode & Validate JWT Tokens Instantly

JWT Generator & Signer

Generate & Sign Custom JWT Tokens

JWT Debugger & Tester

Debug & Test JWT Tokens Step-by-Step

JWT Secret & Key Generator

Generate JWT Secrets & Key Pairs

JWT Claim Extractor & Formatter

Extract & Format JWT Claims

ASCII to Hex Converter

ASCII to Hex Converter: Text to Hexadecimal Translator

Barcode Generator

Free Barcode Generator

Binary to Text Converter

Binary to Text Converter

Free Printable Calendar Maker

Create & Print Your Custom Calendar

Pie Chart Maker

Free Pie Chart Maker Online