How does the jwt.io debugger know where to fetch public key

How does jwt.io (any client implementation) know where to fetch the public key to verify JWT signature? I used a JWT in the debugger signed using public key retrievable from a jwks endpoint. The payload does have the configuration endpoint (iss claim) but just curious to know what is the logic to go about finding where to retrieve the public key from?

How does the debugger know that the value in iss is a configuration endpoint and should try reading values from it.

I could use using browser tools that JWT.io makes a call to the configuration endpoint to retrieve signing information.

What is the identification logic to go about making this external call?

Auth0 uses the JSON Web Key (JWK) specification, so the public key is stored in a “well known” place. JWT.io then simply makes an educated guess based on iss.

The key is stored in https://your_domain/.well-known/jwks.json.

1 Like