HID Authentication Service Public Server JWK Set

The HID Authentication Service server publishes its public keys as a JSON Web Key Set (JWKS). This enables clients to:

Copy

The public keys are available at the following URL:

https://[base-server-url]/{tenant}/authn/jwks [GET]

The JWK set URL is referenced in the jwks_uri claim from the metadata published at the discovery endpoint.

Copy

Sample request to get the server’s public keys:

GET https://[base-server-url]/{tenant}/authn/jwks HTTP/1.1
Copy

Sample response

HTTP/1.1 200 OK
Content-Type: application/json
 
{
    "keys": [{
        "kty": "RSA",
        "x5t#S256": "ZrPsquD9bQgIOWXKMToyhDnsVW3CL9g2r33yXLrUrZE",
        "e": "AQAB",
        "use": "sig",
        "kid": "1529070049824",
        "x5c": ["MIIDZjCCAk6gAwIBAgIGAWQDrVogMA0GCSqGSIb3DQEBCwUAMFcxEzARBgNVBAsTCk9OTElORUJBTksxEzARBgNVBAoTCkhJRCBHbG9iYWwxKzApBgNVBAMTIihPTkxJTkVCQU5LKSBBY3RpdklEIElEUCBTaWduYXR1cmUwHhcNMTgwNjE0MTM0MDQ5WhcNMjMwNjE1MTM0MDQ5WjBXMRMwEQYDVQQLEwpPTkxJTkVCQU5LMRMwEQYDVQQKEwpISUQgR2xvYmFsMSswKQYDVQQDEyIoT05MSU5FQkFOSykgQWN0aXZJRCBJRFAgU2lnbmF0dXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArAoa+Ezg2B3HDSVodJYrsRwuKPwsPfxZOU3vuwX0X48rI2h\/t\/fYt7lZSBOaSYNEUooZvgV9j\/9eDPIG4NoEoO40BtVir+cWU+QkfNrMt0MHT43K2nExTzCJXddD0fAXxnOkBZRpmbBvfJEn3CTPegfGZms+H57hIkdsHz1XA9d9HNC8AKjlnDPkyG9CSX1WtqG5gcB0AsyYuNy4A\/TYvsKCKrqs54kkvrNXpCfCKZOEpFnbc3pQq6Kl3sS\/3d+ccELWJ4Up2ZpsAq455F4LOVcpi7w5+zmHzgpnl5RfzPPQ+Hts9VBWTGOuyShNQbBYjUre3ymj9filIW86uLEznwIDAQABozgwNjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB\/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAP7qE\/W+VF5ASAxGKwqXlP8J39GpFqvKiy+4lJHoFnLfEaOWWTqKCMZBojWMfZHqy0jS2ONVg9z13mJsaTkYFV507FxKHh4jLD98ZZHWKrWXjSJyDfGIeH1HkoqxPlEGGjhPB05EQW4pponG8JWa6ZV2dGTJF1cWb0c3AalxWv8MKzEKJdLkGC8MCzvS5R5iRWLUhK\/gp0UUMV5RD5TYLgFHdmH52QEW7QdNC+VsYYv1xHP2kWVDDaRqfXrgQp4IrW96ecFGLzmGXVX5hcxNR1GTESfLS90MtMOVmbN1rcw4wWI0syYRd7QdISKlS0FH6qp72xEo\/veCc68bbfWMDgw=="],
        "alg": "RS256",
        "n": "rAoa-Ezg2B3HDSVodJYrsRwuKPwsPfxZOU3vuwX0X48rI2h_t_fYt7lZSBOaSYNEUooZvgV9j_9eDPIG4NoEoO40BtVir-cWU-QkfNrMt0MHT43K2nExTzCJXddD0fAXxnOkBZRpmbBvfJEn3CTPegfGZms-H57hIkdsHz1XA9d9HNC8AKjlnDPkyG9CSX1WtqG5gcB0AsyYuNy4A_TYvsKCKrqs54kkvrNXpCfCKZOEpFnbc3pQq6Kl3sS_3d-ccELWJ4Up2ZpsAq455F4LOVcpi7w5-zmHzgpnl5RfzPPQ-Hts9VBWTGOuyShNQbBYjUre3ymj9filIW86uLEznw"
        }, 
        {
        "kty": "RSA",
        "x5t#S256": "r5cIwQA2g_C7Vc6TOi_UdPk3kmamQSieEAcFcwKO5YI",
        "e": "AQAB",
        "use": "enc",
        "kid": "1529070050980",
        "x5c": ["MIIDZzCCAk+gAwIBAgIGAWQDrV6kMA0GCSqGSIb3DQEBCwUAMFgxEzARBgNVBAsTCk9OTElORUJBTksxEzARBgNVBAoTCkhJRCBHbG9iYWwxLDAqBgNVBAMTIyhPTkxJTkVCQU5LKSBBY3RpdklEIElEUCBFbmNyeXB0aW9uMB4XDTE4MDYxNDEzNDA1MFoXDTIzMDYxNTEzNDA1MFowWDETMBEGA1UECxMKT05MSU5FQkFOSzETMBEGA1UEChMKSElEIEdsb2JhbDEsMCoGA1UEAxMjKE9OTElORUJBTkspIEFjdGl2SUQgSURQIEVuY3J5cHRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCV6SMyRNJJmaBW4gXH9eEQbcBLpYdHV5hj\/rmGfGoa7ylvdK4GiuTrWCkRYwel2p9PlsJnC5AAWjvIFavU8iIUZ5Np8CIDy+L1Gewcf659V+MmzU8mgLRWdQ6ovYFXi8UWbOykF\/Ze6GVYXJ3SjoXk0U9hdWOvpjAJ6Q7l8G+8TpPb7LHlqZQdES5YUkkqTQSbpytPD3AGVmBD3vmFN622II39AZQgenAYifiivMFuzUjupnkUhmAPqdqSwg9t6cIrvzjJRddh5KZzhH9NeAebfqx7iyiIr4i0GJJY3VyANXO8bBTT8644JHNQugA+hep2fpN+G5tzFYYi1HmKGq3BAgMBAAGjNzA1MAwGA1UdEwEB\/wQCMAAwDgYDVR0PAQH\/BAQDAgQwMBUGA1UdJQQOMAwGCisGAQQBgjcKAwQwDQYJKoZIhvcNAQELBQADggEBAE2gH8hoJHZ94g9Ec8WgtDtoGxk5iGKt6xFRZbBv84DGltTObUclD4VgoiI9zBodYuAWxbXaQxtQBsq5SBQfwGWWh1iu5T7VlmD\/dDs8InBPc3QX63Z364oPAHOLZTPPgj5ewrZ1PWeE2+xP32D2IcYzbvhrDcYTp9OmMIFGYJQh31VuJDsjkIARDj9AaS0KfmqKGlM+B3Kn2y8ARdgAmqDwfYaBTavO46TfDkQ+dEtv8dodBsLLSvoZeBUcJF\/mH7B3YGqn4Rb6Z\/KcbweuKOn5C8wNi2p\/frwCggra4+IXA4OCf+FDBxIXgz5PomrrfoGlmt86Nw6vMKvgI35kJw0="],
        "alg": "RS256",
        "n": "lekjMkTSSZmgVuIFx_XhEG3AS6WHR1eYY_65hnxqGu8pb3SuBork61gpEWMHpdqfT5bCZwuQAFo7yBWr1PIiFGeTafAiA8vi9RnsHH-ufVfjJs1PJoC0VnUOqL2BV4vFFmzspBf2XuhlWFyd0o6F5NFPYXVjr6YwCekO5fBvvE6T2-yx5amUHREuWFJJKk0Em6crTw9wBlZgQ975hTettiCN_QGUIHpwGIn4orzBbs1I7qZ5FIZgD6naksIPbenCK784yUXXYeSmc4R_TXgHm36se4soiK-ItBiSWN1cgDVzvGwU0_OuOCRzULoAPoXqdn6TfhubcxWGItR5ihqtwQ"
        }
    ]
}
Note: The key with "use": "sig" contains an RSA key and X.509 certificate chain (“x5c”) to verify the signature of signed ID Token etc.

The key with "use": "enc" contains an RSA key and X.509 certificate chain (“x5c”) to encrypt request data (for example, the request object, sent by the client).

Possible error responses are:

Code Label Possible Errors
400
BAD REQUEST
invalid_request

See also:

Viewing Well-known Endpoints in the Portal