6/25/2018 - 11:59 PM


When creating applications and resources servers (APIs) in Auth0, two algorithms are supported for 
signing JSON Web Tokens (JWTs): RS256 and HS256. RS256 generates an asymmetric signature, 
which means a private key must be used to sign the JWT and a different public key must be used to
verify the signature.

Auth0 uses the JWK specification to represent the cryptographic keys used for signing RS256 tokens.
This specification defines two high level data structures: JSON Web Key (JWK) and JSON Web Key Set (JWKS).

JSON Web Key (JWK)
A JSON object that represents a cryptographic key. The members of the object represent properties of 
the key, including its value.

JSON Web Key Set (JWKS)
A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array 
of JWKs.

At the most basic level, the JWKS is a set of keys containing the public keys that should be used to 
verify any JWT issued by the authorization server. Auth0 exposes a JWKS endpoint for each tenant,
which is found at https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json