# Get the JWKs URL ## Glossary #### JWK A JSON Web Key (JWK) is a JSON data structure that represents a cryptographic key. Plural form for multiple such keys is JWKs (with lowercase `s`). #### JWKS A JWK Set (JWKS) is a JSON data structure that represents a set of JWKs. ## Prepare your JWK - If you are using your Open Banking certificate, you should receive your JWKs URL from the Open Banking Directory. - If you are using your eIDAS certificate, you will need to publish your JWKS under a publicly available URL. :::warning [Use The Correct URL] If you are testing and using services such as pastebin to temporarily host the JWKS, make sure that you provide the URL of the raw JSON and not the HTML web page displaying it. To confirm that we can access the data, [verify](#verify-that-your-jwks-url-is-publicly-accessible) that your JWKs URL is publicly accessible and properly encoded. ::: The JWKs URL can include several JWKs (a JWKS), but it must contain at least the public signing key which will be used in the requests. ## Supported key types Both RSA and Elliptic Curve (EC) key types are supported. The JWKS structure can include both key types in the same key set. Depending on the key type, you must include the following fields: - ![RSA key] | JWK field mandatory for RSA | Description | | --------------------------- | ------------------------------------------------------------------------------------------------- | | `kid` | The key ID that is used to match a specific key. | | `kty` | The cryptographic algorithm family used with the key. For RSA keys, the value is `RSA`. | | `e` | Contains the exponent value for the RSA public key, represented as a Base64urlUInt-encoded value. | | `n` | Contains the modulus value for the RSA public key, represented as a Base64urlUInt-encoded value. | | `use` | The intended use of the public key. Must be set to `sig` for signing keys. | | `x5c` | An array containing the base64-encoded `.der` signing certificate. | To view an example RSA key, see [our production JWKS](https://keystore.openbanking.org.uk/001580000103UAvAAM/6wI3JU5x0mpIEU5SjRi7cG.jwks). To generate the modulus value (`n`) from your signing certificate: ```shell openssl x509 -noout -modulus -in signing.pem | cut -c 9- | xxd -r -p | base64 | tr '/+' '_-' | tr -d '=' ``` To obtain the base64-encoded certificate (`x5c`): ```shell sed -E '/(^-----[A-Z ]+-----$)/d' signing.pem | tr -d '\n' ``` - ![EC key] | JWK field mandatory for EC | Description | | -------------------------- | ------------------------------------------------------------------------------------- | | `kid` | The key ID that is used to match a specific key. | | `kty` | The cryptographic algorithm family used with the key. For EC keys, the value is `EC`. | | `crv` | The curve used in the EC key. Only `P-256` is currently supported. | | `x` | The x-coordinate of the EC public key, base64url-encoded. | | `y` | The y-coordinate of the EC public key, base64url-encoded. | | `use` | The intended use of the public key. Must be set to `sig` for signing keys. | | `x5c` | An array containing the base64-encoded `.der` signing certificate. | To generate the x-coordinate (`x`) from your signing certificate: ```shell openssl x509 -in signing.pem -noout -text | grep 'pub:' -A 5 | tail -n +2 | tr -d '\n :' | sed 's/^04//' | awk '{print substr($0, 1, 64)}' | xxd -r -p | base64 ``` To generate the y-coordinate (`y`) from your signing certificate: ```shell openssl x509 -in signing.pem -noout -text | grep 'pub:' -A 5 | tail -n +2 | tr -d '\n :' | sed 's/^04//' | awk '{print substr($0, 65)}' | xxd -r -p | base64 ``` To obtain the base64-encoded certificate (`x5c`): ```shell sed -E '/(^-----[A-Z ]+-----$)/d' signing.pem | tr -d '\n' ``` ## Validate your JWK You can validate your JWK using the [JWK / JWKS / PEM Converter](https://dailydevelopertools.com/jwk-jwks-pem-converter.html) or by checking that the key structure matches the [supported key types](/docs/guides/build-banking-apps/register-your-application-using-dcr/get-the-jwks-url#supported-key-types). ## Verify that your JWKs URL is publicly accessible In order for us to be able to access your JWKs, your JWKs URL must be: - publicly accessible - **not** georestricted Additionally, the JWKs must be encoded in UTF-8 and **must not** include a Byte Order Mark (BOM). :::info [BOM] A **Byte Order Mark (BOM)** is an optional three-byte prefix (`EF BB BF`) sometimes added by text editors to indicate byte order, but not required for UTF-8. If a BOM is present in your JWKs URL, it can break validation or signature verification. ::: To verify that we can fetch the data from your public JWKs domain, run a `curl` command in your terminal and check that the full JWKs appear in the response. Alternatively, open the URL in your browser to confirm the content is visible and accessible. :::tip [Certificates and testing] Open Banking test certificates may fail validation in some cases – for example, if the certificate is outdated, mismatched, or not included in our trust store. To work around this during testing, you can create a new [Gist](https://gist.github.com/) to host the JWKS for this test. In **Production**, use your **actual JWKs URL.** ::: If you see the error `Failed to fetch public key from https://...`, contact our [API Support team](mailto:api-requests@revolut.com) and share both your signing certificate and the JWKs URL.