Confusion about the JWKS

Here is is said that the public endpoint for a JWKS will be used to expose all keys for signing JWTs. Shouldn’t this be all keys for verifying JWTs? It wouldn’t make sense to expose the keys used to sign. Am I missing something here?

Hey @oleksg

When I look at the page, the first line says “verifying” not “sigining”.
That is correct.

Buried in the page, there is “signing” instead of “verifying”
That is incorrect.

Thanks for point it out! I will file a doc issue.

John

I take it back - it is actually correct, if a little confusing.

To be clear: a JWK can be used for signing or verifying. Please see the RFC linked within that doc page. The JWKs returned by the Auth0 endpoint are used for verifying, not signing.

If you are seeing something different, please let me know the exact text on the page you are referring to.

Thanks!

John

Hey John,

I am referring to this text
" Auth0 exposes a JWKS endpoint for each tenant, which is found at https://YOUR_DOMAIN/.well-known/jwks.json . This endpoint will contain the JWK used to sign all Auth0-issued JWTs for this tenant."

Got it, thanks! I filed a doc change. – j

1 Like

@oleksg

And… it is already fixed. Thanks again!!!

John

Great, thanks a lot for such a quick response and fix.