How does the jwt.io debugger know where to fetch public key

vinay.krshnn · February 23, 2020, 9:13pm

How does jwt.io (any client implementation) know where to fetch the public key to verify JWT signature? I used a JWT in the debugger signed using public key retrievable from a jwks endpoint. The payload does have the configuration endpoint (iss claim) but just curious to know what is the logic to go about finding where to retrieve the public key from?

How does the debugger know that the value in iss is a configuration endpoint and should try reading values from it.

I could use using browser tools that JWT.io makes a call to the configuration endpoint to retrieve signing information.

What is the identification logic to go about making this external call?

thijmen96 · February 24, 2020, 11:54am

Auth0 uses the JSON Web Key (JWK) specification, so the public key is stored in a “well known” place. JWT.io then simply makes an educated guess based on iss.

The key is stored in https://your_domain/.well-known/jwks.json.

Topic		Replies	Views
Where is the Auth0 public key to be used in jwt.io to verify the signature of a RS256 token? Help auth0 , certificate , jwtio , rsa	6	40350	September 15, 2022
Where are jwks key IDs obtained from - anywhere in the auth0 GUI? JWT.io node , jwks	2	6044	March 5, 2020
Verify JWT token received from auth0 JWT.io jwt , auth0	4	21839	January 12, 2020
Confusion about the JWKS Help	6	2621	February 24, 2022
I don't have public key to verify my tokens Help apis , application	2	897	July 20, 2023

How does the jwt.io debugger know where to fetch public key

Related Topics