# JWKS Endpoint ``` GET /.well-known/keys ``` Corppass signs all JSON Web Tokens (JWTs) issued during the authentication and authorization process using a dedicated signing key. RPs can validate these JWT signatures by retrieving the signing public key from the Corppass JSON Web Key Set (JWKS) endpoint. This endpoint returns one or more public keys in JSON Web Key (JWK) format. To validate a JWT signature: 1. Use the JWK where the `use` attribute is set to `sig` (indicating a signing key). 2. Ensure the `kid` value in the JWK matches the `kid` value in the JWT’s JOSE header. {% hint style="info" %} Responses from this endpoint, or individual keys within the JWKS, should be cached for at least 1 hour to avoid retrieving the JWKS for every JWT validation {% endhint %} #### Response Response Example ```http HTTP/2 200 content-type: application/jwk-set+json; charset=utf-8 content-length: 955 { "keys": [ { "kty": "EC", "use": "sig", "kid": "OvNklZwNmhiE6tu9mtWTDAv218k2DMjuRaGhkBgFdOo", "alg": "ES256", "crv": "P-256", "x": "gnbm-h8k3ZzeegHK0x87wO_SP_MLFts9XPZm7pE8U04", "x5c": [ "MIIB2TCCAYCgAwIBAgIUWSJjkrsmm08OFT3PDSegP/6fTXwwCgYIKoZIzj0EAwIwRDELMAkGA1UECAwCU0cxCzAJBgNVBAcMAlNHMQswCQYDVQQKDAJDUDEMMAoGA1UEAwwDTkRJMQ0wCwYDVQQLDARTUENQMB4XDTI0MTExMTA1MjYyMloXDTI2MTExMDA1MjYyMlowRDELMAkGA1UECAwCU0cxCzAJBgNVBAcMAlNHMQswCQYDVQQKDAJDUDEMMAoGA1UEAwwDTkRJMQ0wCwYDVQQLDARTUENQMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgnbm+h8k3ZzeegHK0x87wO/SP/MLFts9XPZm7pE8U04m+1m09SoBLrzftqyIia3H6g7TnBBL5nqU6d6r3OL+pKNQME4wHQYDVR0OBBYEFBShdiaEMMNlMU15ewIkmCdBQFZOMB8GA1UdIwQYMBaAFBShdiaEMMNlMU15ewIkmCdBQFZOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIrv7vCRg/XGmPz74X3Ygs5gV2jEPCvPCBtyU/hR59GYCIGPBWS1/DmvQztjoknyjv8fvop7QUiTf8jotrZc4ssDK" ], "y": "JvtZtPUqAS6837asiImtx-oO05wQS-Z6lOneq9zi_qQ", "x5t": "ljFP32-_2i4WJZ0vo0UM-8Xr5oI", "x5t#S256": "OvNklZwNmhiE6tu9mtWTDAv218k2DMjuRaGhkBgFdOo" } ] } ``` **JWKS Key Rotation** Corppass reserves the right to rotate or update its signing keys at any time and without prior notice. When a key rotation occurs: 1. New keys will be published to the JWKS endpoint and will include a unique `kid` value. 2. JWTs issued after the rotation will reference the updated `kid` in their JOSE headers. 3. RPs **must** refresh their cached JWKS by querying the JWKS endpoint to retrieve the updated keys. It is essential for RPs to implement proper handling for key rotations to ensure uninterrupted validation of JWT signatures. {% hint style="danger" %} The following fields will be **deprecated** in the next major version of the API: * x5c * x5t * x5t#S256 Plan to update your applications to remove reliance on these fields. We strongly recommend reviewing the updated API documentation and transitioning to alternative fields as soon as possible to avoid disruptions. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy/endpoints/well-known-endpoints/jwks-endpoint.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.