Last Updated: Sep 27, 2024
Overview
This article explains the difference between JSON Web Keys Set (JWKS) and Privacy Enhanced Mail (PEM) Certificate.
Applies To
- JSON Web Keys Set (JWKS)
- Privacy Enhanced Mail (PEM)
Solution
JSON Web Key (JWK)
This format is defined by the JSON Web Key IETF RFC. The JSON Web Keys Set (JWKS) for a tenant is available via the https://TENANT_DOMAIN/.well-known/jwks.json endpoint. This is a standard set for the OAuth2 framework and is typically used by applications that need to retrieve public keys programmatically. Most of our SDKs do this behind the scenes.
When calling the well-known/jwks.json endpoint, Auth0 will return a JSON object containing keys and associated information, such as the algorithm used, the key’s use, a certificate, and the key ID.
To learn more about JWKS, take a look at our JWT Handbook.
Privacy Enhanced Mail (PEM) Certificate
A PEM certificate from Auth0 is a text file containing a Base 64 encoded public key certificate. This is a common format for public and private keys, and in the context of Auth0, public signing keys are made available via the https://TENANT_DOMAIN/pem endpoint. This is a convenient way for a human to retrieve a public key for use with the JWT.io token debugger.
Take a look at some examples.
Here is an example JWKS:
{
"keys": [
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"n": "sGQGrUGqZGMmDwMg1yH0jlP_186h55t95KQAeH2QVXMuLYzCnphTMWtPC5BOCFJWiiuzsvpfTmM2WmzOHDSfq8G-fmr_ZFEJJsJgxvs2B4J_MEa8h56fiCAumanHDc5Dk0MZUYUmbLghC11plC9rmotttLY0zyXdFrUdOycC9feTmB0Y7dWphlikPdLGhogWnXOKbQrEmaWe3gdlOTAhWFdB46L9KAHv9blr9OEg_ydQIAHMtX4E5yKngfGNFVQscVsBhk-KvvNbKh4nxelMfkJv1kOb3i_ablSQrC7FgxG20ULnYppQYhy2DIChQXrdjxnugJNRcy4ncnNtPs5ddw",
"e": "AQAB",
"kid": "8oaG5fcZCdtbKXUD2o0Q5",
"x5t": "wtP4GQmf6Okdbz23AB-AVHxTO9g",
"x5c": [
"MIIDBTCCAe2gAwIBAgIJPqxTH9OmlUdcMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTAeFw0yMTA0MjgyMDMwMDlaFw0zNTAxMDUyMDMwMDlaMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALBkBq1BqmRjJg8DINch9I5T/9fOoeebfeSkAHh9kFVzLi2Mwp6YUzFrTwuQTghSVoors7L6X05jNlpszhw0n6vBvn5q/2RRCSbCYMb7NgeCfzBGvIeen4ggLpmpxw3OQ5NDGVGFJmy4IQtdaZQva5qLbbS2NM8l3Ra1HTsnAvX3k5gdGO3VqYZYpD3SxoaIFp1zim0KxJmlnt4HZTkwIVhXQeOi/SgB7/W5a/ThIP8nUCABzLV+BOcip4HxjRVULHFbAYZPir7zWyoeJ8XpTH5Cb9ZDm94v2m5UkKwuxYMRttFC52KaUGIctgyAoUF63Y8Z7oCTUXMuJ3JzbT7OXXcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUS6hKKDm3MYsd/MvwH78ILhPMTKEwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQBtKk0bwVlQdRnHiFd4/k2MFjvdeOwjaUM9fg1QFXMsc0z1YxU21Rl4DS8855yCkWAWWCzyHi2ZP+ooWSTE+Dtdun+uknnOMKBQWdPUJgP2S8C1iLLMrEcDdfKgOGDGgMN1f07O8HhSgBxxtnxD5U6QbWpYEJgS7NDZ7ktzeOI3SMVXF7zR63cLsXXuMZYAX71o7itqNJ5IurPRruSoZpcYcuxZPOmrB6CinUFHFn2J7d8AFxFu7tx3pbmzJtbvGSza086uMfxmTRSOBFUinD8ShsgUoZsZH+i+c8TmHv5imaWTaToE7JMatmNP+9i8vhAvIM/kwpR7R/50pkrDWCew"
]
},
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"n": "up6wIOegIGLv5hb-mXqT_t7-HmZYz-ACAMR-e1cxJMzAVqf5sLmF9C1IPWsYvGKjAVmSlhQaL4w5zWvPxmxsnBUTQeUDq9hUaKE0c6KxUmsaaO40NVDdp5ga1FzeXs-bzllS61LVXku14vdORPao08sY4Y7RL8lL9AZc821QrLiuORaI30lzmxVJwtn4NxKeYI3NkUYk4EpM7a-qvJrtFRlBCXB6ZdNDBwKzUCcY5tJvnk8EWnRpl1iu2qeJcG8TiyTFMTC-oxkD9Bz3NrTgKld4PZlYvw4R5oBXMkf74vwvaxh3G7w-PcKot3DeQ-VDVRgDqzVF7JbXfvkyEYydqw",
"e": "AQAB",
"kid": "zYJRWS5DdTnqosLOYLS1E",
"x5t": "D9pI046Bz90XvxNTvfoxZyi4Its",
"x5c": [
"MIIDBTCCAe2gAwIBAgIJWPxLgm2yrD9KMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTAeFw0yMTA0MjgyMDMwMTBaFw0zNTAxMDUyMDMwMTBaMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqesCDnoCBi7+YW/pl6k/7e/h5mWM/gAgDEfntXMSTMwFan+bC5hfQtSD1rGLxiowFZkpYUGi+MOc1rz8ZsbJwVE0HlA6vYVGihNHOisVJrGmjuNDVQ3aeYGtRc3l7Pm85ZUutS1V5LteL3TkT2qNPLGOGO0S/JS/QGXPNtUKy4rjkWiN9Jc5sVScLZ+DcSnmCNzZFGJOBKTO2vqrya7RUZQQlwemXTQwcCs1AnGObSb55PBFp0aZdYrtqniXBvE4skxTEwvqMZA/Qc9za04CpXeD2ZWL8OEeaAVzJH++L8L2sYdxu8Pj3CqLdw3kPlQ1UYA6s1ReyW1375MhGMnasCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU+EYHSzXFhLHpYCjHdIDVtaEmVaQwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQAq6yZ6cKw20cVK4ePzd6oDQjnqvxZs4o8pevSApe0ZufP8ua4kw6u1QGiLwCu/R5k6duL8UXESrjMzhot0yjYTfHqMs6wVs65sTMnkg1ipS0EIuTNzFBYEzmlqSekgi8RHxliT7i7a8pVCZBeHbsz/Di48L7ZkXemtt3Y6wDquhfzip/NVhux4/YDrJ0XRe/C0DZfs6ChDX1p4fntdUP/IWx1GJOvXmUpWI/Hqs5KqoH1kWT1q7IU1YKX8rCZCyVD2vrVemFmgOYON18BK7CnRhVPh/I5I5bEu04HGHpUbzjrLzA+87wjTiNahLt1PACYVflkk9DVXzBYYhq4VH8mn"
]
}
]
}
Here is a PEM certificate for the first key in the above JWKS:
-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIJPqxTH9OmlUdcMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
BAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTAeFw0yMTA0MjgyMDMwMDlaFw0zNTAx
MDUyMDMwMDlaMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALBkBq1BqmRjJg8DINch9I5T/9fO
oeebfeSkAHh9kFVzLi2Mwp6YUzFrTwuQTghSVoors7L6X05jNlpszhw0n6vBvn5q
/2RRCSbCYMb7NgeCfzBGvIeen4ggLpmpxw3OQ5NDGVGFJmy4IQtdaZQva5qLbbS2
NM8l3Ra1HTsnAvX3k5gdGO3VqYZYpD3SxoaIFp1zim0KxJmlnt4HZTkwIVhXQeOi
/SgB7/W5a/ThIP8nUCABzLV+BOcip4HxjRVULHFbAYZPir7zWyoeJ8XpTH5Cb9ZD
m94v2m5UkKwuxYMRttFC52KaUGIctgyAoUF63Y8Z7oCTUXMuJ3JzbT7OXXcCAwEA
AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUS6hKKDm3MYsd/MvwH78I
LhPMTKEwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQBtKk0bwVlQ
dRnHiFd4/k2MFjvdeOwjaUM9fg1QFXMsc0z1YxU21Rl4DS8855yCkWAWWCzyHi2Z
P+ooWSTE+Dtdun+uknnOMKBQWdPUJgP2S8C1iLLMrEcDdfKgOGDGgMN1f07O8HhS
gBxxtnxD5U6QbWpYEJgS7NDZ7ktzeOI3SMVXF7zR63cLsXXuMZYAX71o7itqNJ5I
urPRruSoZpcYcuxZPOmrB6CinUFHFn2J7d8AFxFu7tx3pbmzJtbvGSza086uMfxm
TRSOBFUinD8ShsgUoZsZH+i+c8TmHv5imaWTaToE7JMatmNP+9i8vhAvIM/kwpR7
R/50pkrDWCew
-----END CERTIFICATE-----
Notice the x5c claim in the first key in the JWKS matches the body of the PEM certificate.
In conclusion, the JWK contains the certificate in addition to other claims about the key. This information is useful for applications and servers. The PEM provides the certificate in a way that is easily accessible to humans and can be used with tools like JWT.io.