Sample JWKS and Token Service

What can you do here?

This service hosts a JWKS endpoint, listing various sample public keys in the format prescribed by IETF RFC 7517. It will also

• generate example JWT signed or encrypted with the key you select.
• show you the private and public keys used for signing and encrypting, in PEM format.

This service is intended to help you understand basic JWT and JWKS concepts, and test your own code.

Ask for a Token or Key

Type signed encrypted

Key ID

Algorithm

Want jti?

Want jku?

Expiry seconds minutes hours days weeks

Not Before seconds minutes hours days weeks

Additional Header Claims {}

Additional Payload Claims ⟳

Private Key Public Key Token Clear

Notes

1. This service is not for use in production. This service discloses the private keys freely. Do not use the keys emitted here for securing anything you really care about. This service is intended for use during development only.
2. The keys hosted here are ephemeral and may disappear at any time. Do not depend on them. This service does not rotate keys. This service is intended for educational use during development only.
3. The claims you specify here are not private. They are transmitted to a server and are signed there. The server doesn't store information, but any data you submit here may be logged.
4. The Key Identifier (kid), Type (typ), and Algorithm (alg) claims are always added to the header of the example JWTs that get generated.
5. The issued-at (iat) time is always added to the payload of the example JWTs that get generated.
6. If you set the Expiry to 0, there will be no exp claim in the generated JWT. Likewise for Not Before.
7. If you specify an explicit value for exp or nbf, you will get those values in the generated JWT only if the corresponding form setting is 0.
8. If you ask for an encrypted JWT, you don't get to select the content encrypting algorithm. Only the key-encrypting algorithm. The content encrytion is always "A128CBC-HS256".
9. This web page does not decode existing JWT.

API

The API that backs this page is available publicly.

• GET /.well-known/jwks.json - returns the JWKS in application/json

• GET /keyids - returns a JSON array of available keyids with no further information

• GET /keyids?type=rsa - returns a JSON array of keyids of type=RSA

• GET /keys/KEYID - returns a JSON containing the private and public key in PEM-encoded format for the key identified by keyid

• GET /keys/KEYID/private - returns a plaintext PEM-encoded version of the private key identified by keyid

• GET /keys/KEYID/public - returns a plaintext PEM-encoded version of the public key identified by keyid

• POST /token - returns a new JWT, with a contrived payload, signed or encrypted with a randomly selected key and algorithm.

• POST /token?keyid=xxx&alg=YYY - returns a new JWT, with a contrived payload, signed or encrypted with the specified key and using the specified signing/encryption algorithm.

• POST /token -H content-type:application/json - returns a new JWT, signed with the specified key. The creation parameters for the JWT are specified in the json payload of this request. Example: copy

  {
    "keyid" : "b3ff2166",
    "alg" : "RS256",
    "expiry" : "300s",
    "notbefore" : "10s",
    "wantjti" : true,
    "payloadclaims" : { "nonce" : "8b5df20b01249df6f6", "foo": true },
    "headerclaims" : { "whatev" : "abcdef" }
                }

  All of these fields are optional. For any fields you do not specify, the service will select a reasonable or contrived value.

Manifest

• Author: Dino Chiesa <dchiesa@google.com>
• Build-Time: 2024-08-23T00:28:29Z
• Project-Version: 20240822
• Instance launch: 2025-11-08T02:14:10.560959Z