JWKS validator

Per RFC 7517 + 7518 + 8037

Validates a JSON Web Key Set: required params per kty, key strength, alg/use consistency, kid uniqueness, accidental private key exposure.

What is this, and when do I need it?

What is this?

A JSON Web Key Set (JWKS, RFC 7517 § 5) is the public key list an OAuth2/OIDC issuer publishes at jwks_uri so verifiers can validate JWTs. This tool walks each key against RFC 7517 (kty, kid, use), RFC 7518 (RSA/EC parameters, algorithm consistency) and RFC 8037 (OKP, Ed25519, X25519). It flags weak RSA (< 2048 bit), accidental private-key exposure (d, p, q in a public JWKS), symmetric oct keys in a public JWKS, colliding kid values, and inconsistent alg/kty pairs that cause verifier failures.

When do I need it?

Before pointing a JWT verifier at a new issuer; after rotating a signing key; when debugging "kid not found" or "invalid signature" errors against a partner's IDP. Also useful as a sanity check on your own issuer's published JWKS once a year.

Note: in URL mode the JWKS fetch goes through our server (browsers usually cannot fetch a foreign jwks_uri themselves because of CORS). We do not log the queried URL or the result. 12 requests per minute per IP.

Full https URL of the JWKS endpoint (e.g. <code>https://accounts.google.com/.well-known/jwks</code> or the jwks_uri from an OIDC discovery document).