JWKS Endpoint

GET /.well-known/keys

Corppass signs all JSON Web Tokens (JWTs) issued during the authentication and authorization process using a dedicated signing key. RPs can validate these JWT signatures by retrieving the signing public key from the Corppass JSON Web Key Set (JWKS) endpoint.

This endpoint returns one or more public keys in JSON Web Key (JWK) format. To validate a JWT signature:

  1. Use the JWK where the use attribute is set to sig (indicating a signing key).

  2. Ensure the kid value in the JWK matches the kid value in the JWT’s JOSE header.

Responses from this endpoint, or individual keys within the JWKS, should be cached for at least 1 hour to avoid retrieving the JWKS for every JWT validation

Response

Response Example

HTTP/2 200
content-type: application/jwk-set+json; charset=utf-8
content-length: 955
{
  "keys": [
    {
      "kty": "EC",
      "use": "sig",
      "kid": "OvNklZwNmhiE6tu9mtWTDAv218k2DMjuRaGhkBgFdOo",
      "alg": "ES256",
      "crv": "P-256",
      "x": "gnbm-h8k3ZzeegHK0x87wO_SP_MLFts9XPZm7pE8U04",
      "x5c": [
        "MIIB2TCCAYCgAwIBAgIUWSJjkrsmm08OFT3PDSegP/6fTXwwCgYIKoZIzj0EAwIwRDELMAkGA1UECAwCU0cxCzAJBgNVBAcMAlNHMQswCQYDVQQKDAJDUDEMMAoGA1UEAwwDTkRJMQ0wCwYDVQQLDARTUENQMB4XDTI0MTExMTA1MjYyMloXDTI2MTExMDA1MjYyMlowRDELMAkGA1UECAwCU0cxCzAJBgNVBAcMAlNHMQswCQYDVQQKDAJDUDEMMAoGA1UEAwwDTkRJMQ0wCwYDVQQLDARTUENQMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgnbm+h8k3ZzeegHK0x87wO/SP/MLFts9XPZm7pE8U04m+1m09SoBLrzftqyIia3H6g7TnBBL5nqU6d6r3OL+pKNQME4wHQYDVR0OBBYEFBShdiaEMMNlMU15ewIkmCdBQFZOMB8GA1UdIwQYMBaAFBShdiaEMMNlMU15ewIkmCdBQFZOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIrv7vCRg/XGmPz74X3Ygs5gV2jEPCvPCBtyU/hR59GYCIGPBWS1/DmvQztjoknyjv8fvop7QUiTf8jotrZc4ssDK"
      ],
      "y": "JvtZtPUqAS6837asiImtx-oO05wQS-Z6lOneq9zi_qQ",
      "x5t": "ljFP32-_2i4WJZ0vo0UM-8Xr5oI",
      "x5t#S256": "OvNklZwNmhiE6tu9mtWTDAv218k2DMjuRaGhkBgFdOo"
    }
  ]
}

JWKS Key Rotation

Corppass reserves the right to rotate or update its signing keys at any time and without prior notice. When a key rotation occurs:

  1. New keys will be published to the JWKS endpoint and will include a unique kid value.

  2. JWTs issued after the rotation will reference the updated kid in their JOSE headers.

  3. RPs must refresh their cached JWKS by querying the JWKS endpoint to retrieve the updated keys.

It is essential for RPs to implement proper handling for key rotations to ensure uninterrupted validation of JWT signatures.

The following fields will be deprecated in the next major version of the API:

  • x5c

  • x5t

  • x5t#S256

Plan to update your applications to remove reliance on these fields. We strongly recommend reviewing the updated API documentation and transitioning to alternative fields as soon as possible to avoid disruptions.

PreviousOpenID Discovery EndpointNextScopes

Last updated