What is this?
A JSON Web Key Set (JWKS, RFC 7517 § 5) is the public key list an OAuth2/OIDC issuer
publishes at jwks_uri so verifiers can validate JWTs. This tool walks each key
against RFC 7517 (kty, kid, use), RFC 7518 (RSA/EC parameters, algorithm consistency) and
RFC 8037 (OKP, Ed25519, X25519). It flags weak RSA (< 2048 bit), accidental private-key
exposure (d, p, q in a public JWKS), symmetric oct
keys in a public JWKS, colliding kid values, and inconsistent alg/kty pairs that
cause verifier failures.
When do I need it?
Before pointing a JWT verifier at a new issuer; after rotating a signing key; when debugging "kid not found" or "invalid signature" errors against a partner's IDP. Also useful as a sanity check on your own issuer's published JWKS once a year.