Web security has many terms and concepts. One of them is "JWKS" or "JSON Web Key Set." Hanko uses JWKS, so let's get to know it better.
A JSON Web Key Set (JWKS) is a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by an authorization server and signed using RS256 signing algorithm. These keys are represented in a JSON format.
Hanko's backend harnesses the power of JWT and JWKS to provide a robust, secure, and efficient user authorization mechanism. By doing so, Hanko ensures the integrity and authenticity of each user's token, offering a seamless and secure user experience.
When it comes to authentication, verifying the integrity and validity of a token is crucial. To do this, we require public keys. Instead of hardcoding these keys or managing them manually, JWKS offers a dynamic and flexible way to provide these keys. It acts as a public repository of keys that can be retrieved and rotated without significant changes in the systems that use them.
Here's a simple example:
Here's what happens when someone logs in using Hanko:
The /.well-known/jwks.json file is a standard endpoint that contains the public keys for verifying JWT access tokens. Hanko exposes this endpoint by default for each Hanko Cloud project at:
https://{project.id}.hanko.io/.well-known/jwks.json
JWKS is an essential component in the modern authentication ecosystem, especially when JWTs are involved. Its dynamic and standardized nature ensures that the process of key management becomes less cumbersome and more secure.
Find out more on how to check JWTs with JWKS in our backend guides.