JWKS Inspector

How to use

1. 1Pick a mode at the top: Inspect JWKS to decode each key in a set, or Match JWT to key to find which key verifies a token.
2. 2Paste the body of a jwks_uri response (or a single JWK) into the JWKS document panel. Use the sample chips to load a multi-key set, a single RSA key, or a broken set that demonstrates the error and warning surface.
3. 3Read the per-key card: kty, alg, kid, use, modulus or curve bits, key_ops, and the x5c chain count appear as badges, validation messages appear inline, and the RFC 7638 SHA-256 thumbprint appears below with a Copy button.
4. 4If the published kid does not equal the computed thumbprint, the card shows a 'Published kid is custom' badge so you can decide whether to keep it or rotate.
5. 5Switch to Match JWT to key, paste a token, and read the selected key plus the per-key match trace (kid, alg, kty, use, key_ops). The reasoning behind every accepted or rejected key is shown so verification failures stop being mysterious.
6. 6Click any Copy button to grab a key JSON, the thumbprint, or the normalized JWK Set so you can paste it straight into your code, test fixture, or issue tracker.

About this tool

JWKS Inspector is a focused workbench for the JSON Web Key Set document published at the jwks_uri of every OAuth 2.0 / OpenID Connect provider. The tool covers the four jobs developers actually need to do when wiring up an external identity provider, debugging a verifier, or rotating their own signing keys. First, it decodes the document. Paste the body of a jwks_uri response and each key in the keys array is rendered as a card with its kty (RSA, EC, OKP, or oct), alg, kid, use, and key_ops surfaced as quick-read badges and the original JSON kept available behind a Copy button. A single JWK object (no surrounding keys array) is accepted too. Second, it validates each key against RFC 7517 (JWK), RFC 7518 (JWA), and RFC 8037 (CFRG curves). The validator checks that every required parameter is present per family, that base64url members decode cleanly, that the RSA modulus size is at least the modern 2048-bit floor, that the EC and OKP coordinates are the right byte length for the declared curve (P-256, P-384, P-521, secp256k1, Ed25519, Ed448, X25519, X448), that the alg field is consistent with the kty and crv, and that use and key_ops do not contradict each other. Errors are highlighted in red, soft warnings in amber, healthy keys in green. Third, it computes the RFC 7638 SHA-256 thumbprint for every key. The thumbprint is the canonical key identifier formula every modern issuer uses: serialize only the required JWK members in lexicographic order with no whitespace, then base64url-encode the SHA-256 digest of the UTF-8 bytes. The tool shows the computed thumbprint next to the published kid so a custom kid is obvious at a glance. Fourth, it matches a JWT to a key. Paste a token in the Match tab, the tool decodes the header (alg, kid, typ, cty, x5t, jku) and locates the JWK that should verify the signature. Matching follows the order every JOSE library uses: exact kid match first, fall back to the first key whose kty and alg agree with the JWS header. A per-key trace shows exactly which check passed or failed (kid, alg, kty, use, key_ops) so you can debug a 'no matching key' verification failure from your auth library without going line by line through its source. Useful for backend engineers integrating with Auth0, Cognito, Google, Apple, Firebase, Okta, Azure AD, or any other issuer, for platform teams operating their own signing service, for security reviewers auditing key rotation, and for anyone who has ever stared at a JWT verification error and wondered which key the issuer expected the verifier to use. Everything runs locally in your browser using the Web Crypto API for the SHA-256 thumbprint, so the JWKS, the JWT, and any private key material you paste never leave your device.

Free to use. Works in your browser. No signup, no login.