What is a JWKS endpoint?

A JWKS (JSON Web Key Set) endpoint exposes your public keys so other services can verify JWTs you sign. It's typically served at /.well-known/jwks.json. Copy the JWKS tab output to set this up.

Which algorithm should I use?

ES256 (ECDSA P-256) is the modern recommendation: small key size, strong security, widely supported. RS256 is more compatible with legacy systems. HS256 is symmetric (same key signs and verifies) — only use it when you control both sides.

Can I use these keys in production?

This tool generates keys using the browser Web Crypto API with appropriate algorithms — technically yes. But for production, generate keys on your own machine using openssl or a dedicated secrets manager to maintain full control of the private key.

JWK Generator

Runs in browser

Generate JWK / JWKS keys for RS256, ES256, HS256. Browser-based, private.

Generate JSON Web Keys (JWK) in your browser for RS256, RS512, ES256, ES512, HS256, and HS512. Output as JWK private/public, JWKS endpoint format, or PEM. Keys never leave your browser.

🔒 Keys are generated in your browser via the Web Crypto API and never sent to any server.

Algorithm

ES256 (ECDSA P-256)

🔒 Runs in your browser · No uploads · Your data never leaves your device

How to use

Select algorithm
Choose from RS256/RS512 (RSA), ES256/ES512 (ECDSA), or HS256/HS512 (HMAC). ES256 is a good default for modern JWT signing.
Generate keys
Click 'Generate JWK'. RSA keys take a moment; ECDSA and HMAC keys are instant.
Copy output
Use the tabs to switch between JWK Private, JWK Public, JWKS (public key set for /.well-known/jwks.json), and PEM format.

Common use cases

Setting up a JWKS endpoint — Generate an ES256 key pair and copy the JWKS tab output to serve as your /.well-known/jwks.json endpoint for JWT verification.
Creating keys for JWT signing in development — Generate RS256 or HS256 keys to configure JWT signing in an auth service during local development and testing.

Examples

ES256 JWK for JWT signing
Generate an ES256 key pair, copy the JWK Private for signing JWTs, copy the JWK Public or JWKS for verification.
Output
```
{"kty":"EC","crv":"P-256","alg":"ES256","use":"sig","x":"...","y":"...","d":"..."}
```

Frequently asked questions

What is a JWKS endpoint?: A JWKS (JSON Web Key Set) endpoint exposes your public keys so other services can verify JWTs you sign. It's typically served at /.well-known/jwks.json. Copy the JWKS tab output to set this up.
Which algorithm should I use?: ES256 (ECDSA P-256) is the modern recommendation: small key size, strong security, widely supported. RS256 is more compatible with legacy systems. HS256 is symmetric (same key signs and verifies) — only use it when you control both sides.
Can I use these keys in production?: This tool generates keys using the browser Web Crypto API with appropriate algorithms — technically yes. But for production, generate keys on your own machine using openssl or a dedicated secrets manager to maintain full control of the private key.

Key concepts

JWK: JSON Web Key — a JSON representation of a cryptographic key used for signing or encrypting JWTs, standardized in RFC 7517.
JWKS: JSON Web Key Set — a JSON document containing an array of JWKs, typically served at /.well-known/jwks.json so other services can verify JWTs.

You might find these useful too.

JWK Generator tool

How to use

Select algorithm

Generate keys

Copy output

Common use cases

Examples

ES256 JWK for JWT signing

Frequently asked questions

Key concepts

Related tools