JWKS & JWA
JSON Web Key Set (JWKS)
Specifies the JSON Web Key Set that shall be used by the authorization server for cryptographic signing and decryption operations. The key set MUST be provided in JWK Set format as defined in RFC 7517. All keys within the set MUST be private keys.
Supported key types include:
- RSA
- OKP (Ed25519 and X25519 subtypes)
- EC (P-256, P-384, and P-521 curves)
recommendation: Be sure to follow best practices for distributing private keying material and secrets for your respective target deployment environment.
recommendation: The following action order is recommended when rotating signing keys on a distributed deployment with rolling reloads in place.
- push new keys at the very end of the “keys” array in your JWKS, this means the keys will become available for verification should they be encountered but not yet used for signing
- reload all your processes
- move your new key to the very front of the “keys” array in your JWKS, this means the key will be used for signing after reload
- reload all your processes
enabledJWA
Section titled “enabledJWA”Supported JSON Web Algorithms (JWA)
Specifies the JSON Web Algorithm (JWA) values supported by this authorization server for various cryptographic operations, as defined in RFC 7518 and related specifications.
enabledJWA.attestSigningAlgValues
Section titled “enabledJWA.attestSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to verify signed Client Attestation and Client Attestation PoP JWTs with
default value:
[ 'ES256', 'Ed25519', 'EdDSA']Example: (Click to expand) Supported values list.
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'Ed25519', 'EdDSA', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0]enabledJWA.authorizationEncryptionAlgValues
Section titled “enabledJWA.authorizationEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports for JWT Authorization response (JARM) encryption
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir']Example: (Click to expand) Supported values list.
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.authorizationEncryptionEncValues
Section titled “enabledJWA.authorizationEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to encrypt JWT Authorization Responses (JARM) with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM']Example: (Click to expand) Supported values list.
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.authorizationSigningAlgValues
Section titled “enabledJWA.authorizationSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to sign JWT Authorization Responses (JARM) with
default value:
[ 'RS256', 'PS256', 'ES256', 'Ed25519', 'EdDSA']Example: (Click to expand) Supported values list.
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'Ed25519', 'EdDSA', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0 'HS256', 'HS384', 'HS512',]enabledJWA.clientAuthSigningAlgValues
Section titled “enabledJWA.clientAuthSigningAlgValues”JWS “alg” Algorithm values the authorization server supports for signed JWT Client Authentication (private_key_jwt and client_secret_jwt)
default value:
[ 'HS256', 'RS256', 'PS256', 'ES256', 'Ed25519', 'EdDSA']Example: (Click to expand) Supported values list.
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'Ed25519', 'EdDSA', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0 'HS256', 'HS384', 'HS512',]enabledJWA.dPoPSigningAlgValues
Section titled “enabledJWA.dPoPSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to verify signed DPoP proof JWTs with
default value:
[ 'ES256', 'Ed25519', 'EdDSA']Example: (Click to expand) Supported values list.
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'Ed25519', 'EdDSA', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0]enabledJWA.idTokenEncryptionAlgValues
Section titled “enabledJWA.idTokenEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports for ID Token encryption
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir']Example: (Click to expand) Supported values list.
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.idTokenEncryptionEncValues
Section titled “enabledJWA.idTokenEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to encrypt ID Tokens with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM']Example: (Click to expand) Supported values list.
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.idTokenSigningAlgValues
Section titled “enabledJWA.idTokenSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to sign ID Tokens with.
default value:
[ 'RS256', 'PS256', 'ES256', 'Ed25519', 'EdDSA']Example: (Click to expand) Supported values list.
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'Ed25519', 'EdDSA', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0 'HS256', 'HS384', 'HS512',]enabledJWA.introspectionEncryptionAlgValues
Section titled “enabledJWA.introspectionEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports for JWT Introspection response encryption
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir']Example: (Click to expand) Supported values list.
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.introspectionEncryptionEncValues
Section titled “enabledJWA.introspectionEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to encrypt JWT Introspection responses with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM']Example: (Click to expand) Supported values list.
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.introspectionSigningAlgValues
Section titled “enabledJWA.introspectionSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to sign JWT Introspection responses with
default value:
[ 'RS256', 'PS256', 'ES256', 'Ed25519', 'EdDSA']Example: (Click to expand) Supported values list.
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'Ed25519', 'EdDSA', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0 'HS256', 'HS384', 'HS512',]enabledJWA.requestObjectEncryptionAlgValues
Section titled “enabledJWA.requestObjectEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports to receive encrypted Request Objects (JAR) with
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir']Example: (Click to expand) Supported values list.
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.requestObjectEncryptionEncValues
Section titled “enabledJWA.requestObjectEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to decrypt Request Objects (JAR) with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM']Example: (Click to expand) Supported values list.
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.requestObjectSigningAlgValues
Section titled “enabledJWA.requestObjectSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to receive signed Request Objects (JAR) with
default value:
[ 'HS256', 'RS256', 'PS256', 'ES256', 'Ed25519', 'EdDSA']Example: (Click to expand) Supported values list.
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'Ed25519', 'EdDSA', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0 'HS256', 'HS384', 'HS512',]enabledJWA.userinfoEncryptionAlgValues
Section titled “enabledJWA.userinfoEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports for UserInfo Response encryption
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir']Example: (Click to expand) Supported values list.
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.userinfoEncryptionEncValues
Section titled “enabledJWA.userinfoEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to encrypt UserInfo responses with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM']Example: (Click to expand) Supported values list.
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.userinfoSigningAlgValues
Section titled “enabledJWA.userinfoSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to sign UserInfo responses with
default value:
[ 'RS256', 'PS256', 'ES256', 'Ed25519', 'EdDSA']Example: (Click to expand) Supported values list.
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'Ed25519', 'EdDSA', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0 'HS256', 'HS384', 'HS512',]