JWKS API

The BindID Service exposes an HTTP OIDC /jwks endpoint defined by the OIDC standard, which can be used to retrieve the public part of the signing key in order to validate the ID token. The response to a successful /jwks request is an HTTP 200 response, with the structure described below.

HTTP Request

The OIDC /jwks endpoint is available on the BindID Service at:

https://<host-name>/jwks

where <host-name> has the following value depending on the environment:

  • Sandbox: signin.bindid-sandbox.io
  • Production: signin.bindid.io

Request Example

GET /jwks HTTP/1.1

Response Headers

The POST response includes the following HTTP headers:

Header NameDescription
Content-TypeReturns application/json
Cache-ControlReturns no-store, must-revalidate
PragmaReturns no-cache

Response Body

The JSON object in the body has the structure as defined in RFC-7517. The key with the sig type of use should be used to verify the ID token signature.

Response Example

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store, must-revalidate
Pragma: no-cache
{
"keys": [
{
"kty": "EC",
"use": "enc",
"crv": "P-256",
"kid": "{\"provider_type\":\"db\",\"alias\":\"bindid-oidc-jwt-signing-key\",\"type\":\"local\",\"version\":\"auto-generated_bindid\"}",
"x5c": [
"MIIB/TCCAaKgAwIBAgIIzmRe64iiG4cwCgYIKoZIzj0EAwIwZzEaMBgGA1UECgwRVHJhbnNtaXQgU2VjdXJpdHkxDDAKBgNVBAsMA0RldjEnMCUGCSqGSIb3DQEJARYYZGV2QHRyYW5zbWl0c2VjdXJpdHkuY29tMRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMjAxMDA2MTMxNTUyWhcNMzAxMDA0MTIxNTUyWjBnMRowGAYDVQQKDBFUcmFuc21pdCBTZWN1cml0eTEMMAoGA1UECwwDRGV2MScwJQYJKoZIhvcNAQkBFhhkZXZAdHJhbnNtaXRzZWN1cml0eS5jb20xEjAQBgNVBAMMCTEyNy4wLjAuMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA6ZaZuF0dJzASyUX9WIRLkScUlaAx/lhhodrUvgb9z0TXw5cBJ7QszpEBc3zoor4Jo3gUMviAyzghxglk22zFujODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMAoGCCqGSM49BAMCA0kAMEYCIQCc/sTFMVI0Mr1dunBdrhLu5NvbInoxj9TaWIuQuE4VpQIhAPULRQ1lk6VXUheRoh7whWnibdul+n04YTqfg9sonqAR"
],
"x": "Dplpm4XR0nMBLJRf1YhEuRJxSVoDH-WGGh2tS-Bv3PQ",
"y": "TXw5cBJ7QszpEBc3zoor4Jo3gUMviAyzghxglk22zFs",
"alg": "ECDH-ES+A256KW"
},
{
"kty": "EC",
"use": "sig",
"crv": "P-256",
"kid": "{\"provider_type\":\"db\",\"alias\":\"bindid-oidc-jwt-signing-key\",\"type\":\"local\",\"version\":\"auto-generated_bindid\"}",
"x5c": [
"MIIB/TCCAaKgAwIBAgIIzmRe64iiG4cwCgYIKoZIzj0EAwIwZzEaMBgGA1UECgwRVHJhbnNtaXQgU2VjdXJpdHkxDDAKBgNVBAsMA0RldjEnMCUGCSqGSIb3DQEJARYYZGV2QHRyYW5zbWl0c2VjdXJpdHkuY29tMRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMjAxMDA2MTMxNTUyWhcNMzAxMDA0MTIxNTUyWjBnMRowGAYDVQQKDBFUcmFuc21pdCBTZWN1cml0eTEMMAoGA1UECwwDRGV2MScwJQYJKoZIhvcNAQkBFhhkZXZAdHJhbnNtaXRzZWN1cml0eS5jb20xEjAQBgNVBAMMCTEyNy4wLjAuMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA6ZaZuF0dJzASyUX9WIRLkScUlaAx/lhhodrUvgb9z0TXw5cBJ7QszpEBc3zoor4Jo3gUMviAyzghxglk22zFujODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMAoGCCqGSM49BAMCA0kAMEYCIQCc/sTFMVI0Mr1dunBdrhLu5NvbInoxj9TaWIuQuE4VpQIhAPULRQ1lk6VXUheRoh7whWnibdul+n04YTqfg9sonqAR"
],
"x": "Dplpm4XR0nMBLJRf1YhEuRJxSVoDH-WGGh2tS-Bv3PQ",
"y": "TXw5cBJ7QszpEBc3zoor4Jo3gUMviAyzghxglk22zFs",
"alg": "ES256"
}
]
}