Question 1

What is a JWKS and why do I need to inspect it?

Accepted Answer

A JSON Web Key Set (JWKS) is a JSON document containing one or more public keys used to verify JWTs. You inspect it when debugging OAuth 2.0 or OIDC integrations — to confirm the key ID (kid), algorithm (alg), and key type (kty) match what your token validation library expects. Mismatches cause silent verification failures.

Question 2

What does kid, alg, use, and kty mean in a JWK?

Accepted Answer

kid is the key ID — a string your server uses to select which key to verify a token with. alg is the signing algorithm (RS256, ES256, EdDSA, etc.). use indicates the key's purpose: 'sig' for signature verification, 'enc' for encryption. kty is the key type: RSA, EC, or OKP. This tool decodes all four fields alongside RSA modulus length and EC curve for every key in the set.

Question 3

How do I find my identity provider's JWKS URL?

Accepted Answer

For most OIDC providers the JWKS URL is published at /.well-known/openid-configuration — fetch that endpoint, find the jwks_uri field, and paste it here. For Auth0 it is typically https://YOUR_DOMAIN/.well-known/jwks.json. For Cognito: https://cognito-idp.REGION.amazonaws.com/POOL_ID/.well-known/jwks.json. For Google: https://www.googleapis.com/oauth2/v3/certs.

Question 4

Why does JWKS URL fetch fail with a CORS error?

Accepted Answer

Some identity providers block browser-origin fetch requests because their JWKS endpoints are not configured to return CORS headers. When that happens, switch to 'Paste raw JSON' mode: copy the JWKS JSON from your terminal (curl https://your-provider/.well-known/jwks.json), paste it into the textarea, and click Decode. All key analysis runs locally — no data leaves your browser regardless of input method.

Question 5

Does this tool send my keys or JWKS to a server?

Accepted Answer

No. All decoding runs in the browser using the WebCrypto API. No key material, JWKS URL, or JSON is transmitted to any server. Open your browser's network tab while using the tool — you will see zero outbound requests during analysis. The URL fetch tab uses a direct browser fetch to the URL you enter; even then, only that URL is contacted, not Septim's servers.

Question 6

What key algorithms does the JWKS Viewer decode?

Accepted Answer

The viewer decodes RSA keys (RS256, RS384, RS512, PS256, PS384, PS512) and reports modulus length in bits. For EC keys (ES256, ES384, ES512) it shows the named curve (P-256, P-384, P-521). OKP keys (EdDSA / Ed25519) are displayed with their curve and use. It also renders the full x5c certificate chain if present, displayed as PEM blocks.

Inspect any JWKS — every key decoded, never leaves the browser.

Paste JWKS. Inspect every key.

Debugging JWKS by hand is the status quo.