Don't like ads? Go Ad-Free Today 

JSON Web Key (JWK) Set Generator

DeveloperSecurity

ADVERTISEMENT · REMOVE?

[iotools_jwk_set_generator]

ADVERTISEMENT · REMOVE?

Guide

JSON Web Key (JWK) Set Generator

Generate cryptographic signing keys in JSON Web Key format and assemble them into a JWKS (JSON Web Key Set) ready to publish at /.well-known/jwks.json. Supports RSA, RSA-PSS and ECDSA across the full JWA range (RS256/384/512, PS256/384/512, ES256/384/512). Every key is generated locally in your browser via the Web Crypto API — nothing leaves the page.

How to Use

Pick the JWA algorithm — RS256 is the OAuth 2.0 / OIDC default, ES256 produces smaller signatures.
Choose a key use: sig for signing JWTs, enc for content-key wrapping, or omit it.
Pick a Key ID (kid) strategy — RFC 7638 thumbprint is recommended; UUID v4 and custom strings are also available.
Click Generate & Add to Set. The Private JWK, Public JWK and the kid appear immediately.
Click Generate again with a different algorithm to add another key to the same set — the JWKS bundle grows automatically.
Copy the Public JWKS to publish at /.well-known/jwks.json, and keep the Private JWKS on the signing server only.
Use Clear Set to wipe state and start a fresh JWKS.

Features

Nine JWA algorithms – RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512.
JWK + JWKS output – Individual private and public JWKs plus a multi-key JWKS bundle in the OAuth 2.0 / OIDC format.
RFC 7638 thumbprints – Deterministic, canonical kid values so clients can pick the right key from a published JWKS.
100% client-side – Powered by SubtleCrypto generateKey + exportKey; no key material ever crosses the network.
JSON downloads – Save private JWK, public JWK, public JWKS and private JWKS as JSON files with sensible filenames.
Optional use field – Tag keys as sig or enc to match consumer expectations.

 FAQ

What is a JWK and how is it different from a PEM key?

A JSON Web Key (JWK) is a JSON object that represents a cryptographic key. Unlike PEM (which wraps an opaque ASN.1 DER blob in base64), a JWK exposes the raw key parameters as named fields (n, e for RSA; crv, x, y for EC), plus metadata like alg, use and kid. JWKs are the native format for JOSE — the standards that include JWT, JWS, JWE — so JWT libraries can consume them without an ASN.1 parser.
What is a JWKS and where do I host it?

A JWKS (JSON Web Key Set) is a JSON document of the form {"keys":[...]} that lists one or more public JWKs. OAuth 2.0 and OIDC servers publish their JWKS at a well-known URL — typically /.well-known/jwks.json or the value of the jwks_uri field in the OIDC discovery document. Clients fetch that URL, find the key whose kid matches the JWT header, and use it to verify the signature.
Why should the kid be an RFC 7638 thumbprint?

RFC 7638 defines a deterministic, canonical hash of the required public key fields. That gives every key a globally unique, content-addressed identifier that does not change if you re-serialize the JWK. It is the safest default: two parties that derive the kid independently always agree, and rotating to a new key naturally produces a new kid.
When should I pick RS256 versus ES256 or PS256?

RS256 (RSASSA-PKCS1-v1_5 with SHA-256) is the most widely supported algorithm — pick it when you need maximum compatibility with older OAuth 2.0 / OIDC clients. ES256 (ECDSA over P-256) produces much smaller signatures and is the modern default for new systems. PS256 (RSA-PSS) is the security-modernized RSA variant — choose it when you need RSA compatibility but want the stronger probabilistic signature scheme.