Skip to content

How to configure JWKS

The JSON Web Key Set (JWKS) is a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm.

When building applications and APIs in Cloud-IAM's keycloak deployments, four algorithms are supported for signing JWTs: RS256, RS384, RS512 and HS256. RS256 generates an asymmetric signature, which means that a private key must be used to sign the JWT and a different public key must be used to verify the signature.

Keycloak uses the JSON Web Key (JWK) specification to represent the cryptographic keys used to sign RS256 tokens. This specification defines two high-level data structures: JSON Web Key (JWK) and JSON Web Key Set (JWKS, a set of JSON Web Key per RFC 7517).

To configure remote JKWS to a client application, first activate JWKS authentication for client application from Keycloak console:


Then configure the JWKS url of the application or a certificate directly (URL is recommended to automate certificate rollover).


Regarding the application configuration, set up Keycloak JWKS url from the .well-known endpoint that is available in the main realm setting page:

realm settings
Realm settings

This URL should be following this pattern: /auth/realms/MY-REALM/protocol/openid-connect/certs.

Use this URL to configure the client application.