{"id":"jwks-token-verification","title":"JWKS and token verification","description":"Verify Knogin-issued JWTs against public JWKS endpoints rather than relying on private signing details.","lastUpdated":"2026-03-23","sections":[{"id":"jwks-well-known","title":"GET /.well-known/jwks.json · OpenID-compatible JWKS discovery","content":"Route: GET /.well-known/jwks.json\nHost: https://auth.knogin.com\nAuth: Public endpoint\nAudience: External integrators\nStability: Stable\n\nPublishes public signing keys at the well-known JWKS path for standards-based token validation.\n\nIntegration notes:\n- Use the key identifier in the JWT header to select the correct public key.\n- Cache JWKS responses according to your verifier policy and refresh on unknown key IDs.","codeExamples":[{"language":"bash","code":"curl https://auth.knogin.com/.well-known/jwks.json","description":"Request example"},{"language":"json","code":"{\n  \"keys\": [\n    {\n      \"kty\": \"RSA\",\n      \"kid\": \"2026-03-signing-key\",\n      \"use\": \"sig\"\n    }\n  ]\n}","description":"Response example"}]},{"id":"jwks-auth-versioned","title":"GET /v1/auth/jwks.json · Versioned JWKS endpoint","content":"Route: GET /v1/auth/jwks.json\nHost: https://auth.knogin.com\nAuth: Public endpoint\nAudience: External integrators\nStability: Stable\n\nProvides the same public signing material under the auth-service versioned API namespace.\n\nIntegration notes:\n- Use this variant when your API client standardizes on versioned endpoints.","codeExamples":[{"language":"bash","code":"curl https://auth.knogin.com/v1/auth/jwks.json","description":"Request example"},{"language":"json","code":"{\n  \"keys\": [\n    {\n      \"kty\": \"RSA\",\n      \"kid\": \"2026-03-signing-key\",\n      \"use\": \"sig\"\n    }\n  ]\n}","description":"Response example"}]}],"relatedTopics":["identity-app-registration","oauth-service-tokens","event-delivery-webhooks","graphql-transport-contract"],"markdown":"# JWKS and token verification\n\nVerify Knogin-issued JWTs against public JWKS endpoints rather than relying on private signing details.\n\n## GET /.well-known/jwks.json · OpenID-compatible JWKS discovery\n\nRoute: GET /.well-known/jwks.json\nHost: https://auth.knogin.com\nAuth: Public endpoint\nAudience: External integrators\nStability: Stable\n\nPublishes public signing keys at the well-known JWKS path for standards-based token validation.\n\nIntegration notes:\n- Use the key identifier in the JWT header to select the correct public key.\n- Cache JWKS responses according to your verifier policy and refresh on unknown key IDs.\n\nRequest example\n\n```bash\ncurl https://auth.knogin.com/.well-known/jwks.json\n```\n\nResponse example\n\n```json\n{\n  \"keys\": [\n    {\n      \"kty\": \"RSA\",\n      \"kid\": \"2026-03-signing-key\",\n      \"use\": \"sig\"\n    }\n  ]\n}\n```\n\n## GET /v1/auth/jwks.json · Versioned JWKS endpoint\n\nRoute: GET /v1/auth/jwks.json\nHost: https://auth.knogin.com\nAuth: Public endpoint\nAudience: External integrators\nStability: Stable\n\nProvides the same public signing material under the auth-service versioned API namespace.\n\nIntegration notes:\n- Use this variant when your API client standardizes on versioned endpoints.\n\nRequest example\n\n```bash\ncurl https://auth.knogin.com/v1/auth/jwks.json\n```\n\nResponse example\n\n```json\n{\n  \"keys\": [\n    {\n      \"kty\": \"RSA\",\n      \"kid\": \"2026-03-signing-key\",\n      \"use\": \"sig\"\n    }\n  ]\n}\n```\n\n## Related Topics\n\n- [Identity and app registration](https://knogin.com/api/docs/identity-app-registration)\n- [OAuth and service tokens](https://knogin.com/api/docs/oauth-service-tokens)\n- [Event delivery and webhooks](https://knogin.com/api/docs/event-delivery-webhooks)\n- [GraphQL transport contract](https://knogin.com/api/docs/graphql-transport-contract)","metadata":{"readingTime":"4 min","difficulty":"intermediate","tags":["integrations","api","oauth","webhooks","graphql"]}}