What is the origin of the "kid" claim in the JWT?

I haven’t been able to find any documentation or discussion that mentions the “kid” claim in the JWT. From the JWT spec, I understand its purpose, but I can’t relate the value with anything within auth0. So the question is how does auth0 generate the “kid” and how is it used within the auth0 system?

If I recall correctly, from the specification the kid is meant to be an opaque identifier; so it allows to identify the key that was used to sign the JWT, but the actual format or if it has any specific meaning besides being just an identifier is not specified.

At this time and just as curiosity note I think the value is being derived from the underlying certificate thumbprint, however, you should not care about this. The value provided will allow you to know which key was used from the ones returned by https://[your_domain].auth0.com/.well-known/jwks.json and that’s it, you should not try to derive more information from it besides treating it as an identifier.

Thank you. That’s what I was missing (the “connection” with jwks.json). I wasn’t try to “derive” anything meaningful from the “kid” value, I just couldn’t find where it was referenced.

Thank you. That’s what I was missing (the “connection” with jwks.json). I wasn’t try to “derive” anything meaningful from the “kid” value, I just couldn’t find where it was referenced.

Hi @jmangelo , My question is - can we get the kid from somewhere dynamically or need to store it locally, to be used in the above mentioned token verification process?

1 Like

If you plan to depend on kid or use a library that does then it’s likely that library also allows you to provide the jwks.json endpoint mentioned above. This means that library receives token, get kid from token, gets key from endpoint and validates token assuming a matching key is found. So technically you don’t need to store kid anywhere, if you’re using it then you get it from the token and use it to find the matching key.