Question: JWK vs. PEM, what is the difference?

First, let’s define them.

JSON Web Key (JWK)

This format is defined by the JSON Web Key IETF RFC. The JSON Web Keys Set (JWKS) for your tenant is available via the https://YOUR_DOMAIN/.well-known/jwks.json endpoint. This is a standard set for the OAuth2 framework, and is typically used by applications that need to retrieve public key programmatically. This is done behind-the-scenes by most of our SDKs.

If you try the JWKS URL (with your domain) in your browser, you should see a JSON object containing keys and associated information like; which algorithm, what the key is used for, a certificate, and key ID.

If you want to learn more about JWKS, you should take a look at our JWT Handbook.

Privacy Enhanced Mail (PEM) Certificate

A PEM certificate from Auth0 is a text file containing a Base 64 encoded public key certificate. This is a common format for public and private keys, and in the context of Auth0, public signing keys are made available via the https://YOUR_DOMAIN/pem endpoint. This is a convenient way for a human to retrieve a public key for use with the JWT.io token debugger.

Take a look at some examples.

Here is an example JWKS:

{
  "keys": [
    {
      "alg": "RS256",
      "kty": "RSA",
      "use": "sig",
      "n": "sGQGrUGqZGMmDwMg1yH0jlP_186h55t95KQAeH2QVXMuLYzCnphTMWtPC5BOCFJWiiuzsvpfTmM2WmzOHDSfq8G-fmr_ZFEJJsJgxvs2B4J_MEa8h56fiCAumanHDc5Dk0MZUYUmbLghC11plC9rmotttLY0zyXdFrUdOycC9feTmB0Y7dWphlikPdLGhogWnXOKbQrEmaWe3gdlOTAhWFdB46L9KAHv9blr9OEg_ydQIAHMtX4E5yKngfGNFVQscVsBhk-KvvNbKh4nxelMfkJv1kOb3i_ablSQrC7FgxG20ULnYppQYhy2DIChQXrdjxnugJNRcy4ncnNtPs5ddw",
      "e": "AQAB",
      "kid": "8oaG5fcZCdtbKXUD2o0Q5",
      "x5t": "wtP4GQmf6Okdbz23AB-AVHxTO9g",
      "x5c": [
        "MIIDBTCCAe2gAwIBAgIJPqxTH9OmlUdcMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTAeFw0yMTA0MjgyMDMwMDlaFw0zNTAxMDUyMDMwMDlaMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALBkBq1BqmRjJg8DINch9I5T/9fOoeebfeSkAHh9kFVzLi2Mwp6YUzFrTwuQTghSVoors7L6X05jNlpszhw0n6vBvn5q/2RRCSbCYMb7NgeCfzBGvIeen4ggLpmpxw3OQ5NDGVGFJmy4IQtdaZQva5qLbbS2NM8l3Ra1HTsnAvX3k5gdGO3VqYZYpD3SxoaIFp1zim0KxJmlnt4HZTkwIVhXQeOi/SgB7/W5a/ThIP8nUCABzLV+BOcip4HxjRVULHFbAYZPir7zWyoeJ8XpTH5Cb9ZDm94v2m5UkKwuxYMRttFC52KaUGIctgyAoUF63Y8Z7oCTUXMuJ3JzbT7OXXcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUS6hKKDm3MYsd/MvwH78ILhPMTKEwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQBtKk0bwVlQdRnHiFd4/k2MFjvdeOwjaUM9fg1QFXMsc0z1YxU21Rl4DS8855yCkWAWWCzyHi2ZP+ooWSTE+Dtdun+uknnOMKBQWdPUJgP2S8C1iLLMrEcDdfKgOGDGgMN1f07O8HhSgBxxtnxD5U6QbWpYEJgS7NDZ7ktzeOI3SMVXF7zR63cLsXXuMZYAX71o7itqNJ5IurPRruSoZpcYcuxZPOmrB6CinUFHFn2J7d8AFxFu7tx3pbmzJtbvGSza086uMfxmTRSOBFUinD8ShsgUoZsZH+i+c8TmHv5imaWTaToE7JMatmNP+9i8vhAvIM/kwpR7R/50pkrDWCew"
      ]
    },
    {
      "alg": "RS256",
      "kty": "RSA",
      "use": "sig",
      "n": "up6wIOegIGLv5hb-mXqT_t7-HmZYz-ACAMR-e1cxJMzAVqf5sLmF9C1IPWsYvGKjAVmSlhQaL4w5zWvPxmxsnBUTQeUDq9hUaKE0c6KxUmsaaO40NVDdp5ga1FzeXs-bzllS61LVXku14vdORPao08sY4Y7RL8lL9AZc821QrLiuORaI30lzmxVJwtn4NxKeYI3NkUYk4EpM7a-qvJrtFRlBCXB6ZdNDBwKzUCcY5tJvnk8EWnRpl1iu2qeJcG8TiyTFMTC-oxkD9Bz3NrTgKld4PZlYvw4R5oBXMkf74vwvaxh3G7w-PcKot3DeQ-VDVRgDqzVF7JbXfvkyEYydqw",
      "e": "AQAB",
      "kid": "zYJRWS5DdTnqosLOYLS1E",
      "x5t": "D9pI046Bz90XvxNTvfoxZyi4Its",
      "x5c": [
        "MIIDBTCCAe2gAwIBAgIJWPxLgm2yrD9KMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTAeFw0yMTA0MjgyMDMwMTBaFw0zNTAxMDUyMDMwMTBaMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqesCDnoCBi7+YW/pl6k/7e/h5mWM/gAgDEfntXMSTMwFan+bC5hfQtSD1rGLxiowFZkpYUGi+MOc1rz8ZsbJwVE0HlA6vYVGihNHOisVJrGmjuNDVQ3aeYGtRc3l7Pm85ZUutS1V5LteL3TkT2qNPLGOGO0S/JS/QGXPNtUKy4rjkWiN9Jc5sVScLZ+DcSnmCNzZFGJOBKTO2vqrya7RUZQQlwemXTQwcCs1AnGObSb55PBFp0aZdYrtqniXBvE4skxTEwvqMZA/Qc9za04CpXeD2ZWL8OEeaAVzJH++L8L2sYdxu8Pj3CqLdw3kPlQ1UYA6s1ReyW1375MhGMnasCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU+EYHSzXFhLHpYCjHdIDVtaEmVaQwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQAq6yZ6cKw20cVK4ePzd6oDQjnqvxZs4o8pevSApe0ZufP8ua4kw6u1QGiLwCu/R5k6duL8UXESrjMzhot0yjYTfHqMs6wVs65sTMnkg1ipS0EIuTNzFBYEzmlqSekgi8RHxliT7i7a8pVCZBeHbsz/Di48L7ZkXemtt3Y6wDquhfzip/NVhux4/YDrJ0XRe/C0DZfs6ChDX1p4fntdUP/IWx1GJOvXmUpWI/Hqs5KqoH1kWT1q7IU1YKX8rCZCyVD2vrVemFmgOYON18BK7CnRhVPh/I5I5bEu04HGHpUbzjrLzA+87wjTiNahLt1PACYVflkk9DVXzBYYhq4VH8mn"
      ]
    }
  ]
}

Here is a PEM certificate for the first key in the above JWKS:

-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIJPqxTH9OmlUdcMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
BAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTAeFw0yMTA0MjgyMDMwMDlaFw0zNTAx
MDUyMDMwMDlaMCAxHjAcBgNVBAMTFWp3ay1kZW1vLnVzLmF1dGgwLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALBkBq1BqmRjJg8DINch9I5T/9fO
oeebfeSkAHh9kFVzLi2Mwp6YUzFrTwuQTghSVoors7L6X05jNlpszhw0n6vBvn5q
/2RRCSbCYMb7NgeCfzBGvIeen4ggLpmpxw3OQ5NDGVGFJmy4IQtdaZQva5qLbbS2
NM8l3Ra1HTsnAvX3k5gdGO3VqYZYpD3SxoaIFp1zim0KxJmlnt4HZTkwIVhXQeOi
/SgB7/W5a/ThIP8nUCABzLV+BOcip4HxjRVULHFbAYZPir7zWyoeJ8XpTH5Cb9ZD
m94v2m5UkKwuxYMRttFC52KaUGIctgyAoUF63Y8Z7oCTUXMuJ3JzbT7OXXcCAwEA
AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUS6hKKDm3MYsd/MvwH78I
LhPMTKEwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQBtKk0bwVlQ
dRnHiFd4/k2MFjvdeOwjaUM9fg1QFXMsc0z1YxU21Rl4DS8855yCkWAWWCzyHi2Z
P+ooWSTE+Dtdun+uknnOMKBQWdPUJgP2S8C1iLLMrEcDdfKgOGDGgMN1f07O8HhS
gBxxtnxD5U6QbWpYEJgS7NDZ7ktzeOI3SMVXF7zR63cLsXXuMZYAX71o7itqNJ5I
urPRruSoZpcYcuxZPOmrB6CinUFHFn2J7d8AFxFu7tx3pbmzJtbvGSza086uMfxm
TRSOBFUinD8ShsgUoZsZH+i+c8TmHv5imaWTaToE7JMatmNP+9i8vhAvIM/kwpR7
R/50pkrDWCew
-----END CERTIFICATE-----

You’ll notice the x5c claim in the first key in the JWKS matches the body of the PEM certificate!

Answer:

The JWK contains the certificate in addition to other claims about the key. This information is useful for applications and servers. The PEM provides the certificate in a way that is easily human accessable for use with tools like JWT.io.

Sources:

Documentation: RFC7517, JSON Web Key Sets
Community Topics: Where is the Auth0 public key to be used in jwt.io to verify the signature of a RS256 token?