JWKS API

The BindID Service exposes an HTTP OIDC /jwks endpoint defined by the OIDC standard, which can be used to retrieve the public part of the signing key in order to validate the ID token. The response to a successful /jwks request is an HTTP 200 response, with the structure described below.

HTTP Request

The OIDC /jwks endpoint is available on the BindID Service at:

https://<host-name>/jwks

where <host-name> has the following value depending on the environment:

Sandbox: signin.bindid-sandbox.io
Production: signin.identity.security
Production EU: signin.eu.identity.security

Request Example

GET /jwks HTTP/1.1

Response Headers

The response includes the following HTTP headers:

Header Name	Description
`Content-Type`	Returns `application/json`
`Cache-Control`	Returns `no-store, must-revalidate`
`Pragma`	Returns `no-cache`

Response Body

The JSON object in the body has the structure as defined in RFC-7517. The key with the sig type of use should be used to verify the ID token signature.

Response Example

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store, must-revalidate
Pragma: no-cache

{
   "keys":[
      {
         "kty":"RSA",
         "e":"AQAB",
         "use":"sig",
         "kid":"{\"provider_type\":\"db\",\"alias\":\"bindid-oidc-jwt-signing-key\",\"type\":\"local\",\"version\":\"auto-generated_bindid\"}",
         "x5c":[
            "MIID1DCCArygAwIBAgII1+NPl+Tw4nwwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAklMMRowGAYDVQQKDBFUcmFuc21pdCBTZWN1cml0eTETMBEGA1UECwwKUHJvZHVjdGlvbjEiMCAGA1UEAwwZYmluZGlkX2RvbWFpbl9wbGFjZWhvbGRlcjEoMCYGCSqGSIb3DQEJARYZcHJvZEB0cmFuc21pdHNlY3VyaXR5LmNvbTAeFw0yMTAyMDcwOTI1MjNaFw0zMTAyMDUwODI1MjNaMIGMMQswCQYDVQQGEwJJTDEaMBgGA1UECgwRVHJhbnNtaXQgU2VjdXJpdHkxEzARBgNVBAsMClByb2R1Y3Rpb24xIjAgBgNVBAMMGWJpbmRpZF9kb21haW5fcGxhY2Vob2xkZXIxKDAmBgkqhkiG9w0BCQEWGXByb2RAdHJhbnNtaXRzZWN1cml0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2Gs/xJay0IoJ4JuBjcSxpTsiFnssrbSGNOkjopgnrSM39FTsuL8Eetk3XXMM3S7yTV+mSNljkw2Isgkt54HJuQ9c+kKHNmgR95KBzgW/Ef4rFD64XKRyb1iAdCH8PHqdMVgkFnMVHy3mc4L1YCHVRDPsU8qqx1OciwRRJOUZo2EnoNWRhj8tCZjArgVk4ndLLwzwxJ2A+dkdRihrEbXn0BUWrD0ljsGBhw5d8DZBwwi7F3EqD1hQcYqlBnik435tEL4K4V7wqJFlLDl2GTNvfBUPnKAMSm2sRXn94fZ7uREaMohXsPb2P8zhVrWxptgSWAgDdDJfK4hB3kEZNGfIvAgMBAAGjODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAY/pmD9OUoYS19KgcYt3cFzBtXMjxfQPojYAg9dR9W5Of01g7sNoWM8Th2S/GABZNh4M6rYceFuS5A+jmG8AkCY+zYzik7HVrT8D9DFzdSPW8d4xyyNg+IiVUMlAhLqxReLl+T8eMFduvfidGQ54fFCGW570tiydtAVeOlp9Dfv2GKFrUy4y1YJNBP9ouJGLQMqfeHjAIh073HsQU2VGtt1ly6h+r7HVzhVLttaPlPJqUOoo5F9l0LvfIuvZ13ws+JEifzLo1nRTxMVwfE2vf/xJEhYRyGo2hMYAgfOJw1Qmw1LE4ZFe0C/GaDwEhSK44TbhivRAmzNbA/ZZglb2+M"
         ],
         "alg":"RS256",
         "n":"thrP8SWstCKCeCbgY3EsaU7IhZ7LK20hjTpI6KYJ60jN_RU7Li_BHrZN11zDN0u8k1fpkjZY5MNiLIJLeeBybkPXPpChzZoEfeSgc4FvxH-KxQ-uFykcm9YgHQh_Dx6nTFYJBZzFR8t5nOC9WAh1UQz7FPKqsdTnIsEUSTlGaNhJ6DVkYY_LQmYwK4FZOJ3Sy8M8MSdgPnZHUYoaxG159AVFqw9JY7BgYcOXfA2QcMIuxdxKg9YUHGKpQZ4pON-bRC-CuFe8KiRZSw5dhkzb3wVD5ygDEptrEV5_eH2e7kRGjKIV7D29j_M4Va1sabYElgIA3QyXyuIQd5BGTRnyLw"
      },
      {
         "kty":"RSA",
         "e":"AQAB",
         "use":"enc",
         "kid":"{\"provider_type\":\"db\",\"alias\":\"bindid-oidc-jwt-encryption-key\",\"type\":\"local\",\"version\":\"auto-generated_bindid\"}",
         "x5c":[
            "MIID1DCCArygAwIBAgIIOZ7RNLDkRV8wDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAklMMRowGAYDVQQKDBFUcmFuc21pdCBTZWN1cml0eTETMBEGA1UECwwKUHJvZHVjdGlvbjEiMCAGA1UEAwwZYmluZGlkX2RvbWFpbl9wbGFjZWhvbGRlcjEoMCYGCSqGSIb3DQEJARYZcHJvZEB0cmFuc21pdHNlY3VyaXR5LmNvbTAeFw0yMTA0MDQwNzQ4MzJaFw0zMTA0MDIwNjQ4MzJaMIGMMQswCQYDVQQGEwJJTDEaMBgGA1UECgwRVHJhbnNtaXQgU2VjdXJpdHkxEzARBgNVBAsMClByb2R1Y3Rpb24xIjAgBgNVBAMMGWJpbmRpZF9kb21haW5fcGxhY2Vob2xkZXIxKDAmBgkqhkiG9w0BCQEWGXByb2RAdHJhbnNtaXRzZWN1cml0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA6TybNQiKey4uECHjEmadvdM2XAhIXWn9JTht6aWoC0+nvonMDwMhHqpQaMrn7JowzvbEWHzK0Hh4DoZbLJ7EAK27jDZtURmcLTiC9MHHHqWt4WZol4+1bU+8p8TuovwMlwiEiRP9hXCxcUgZFyoij2wqJMW1TnrV5Zx2/CaiBwWFGOEYZSpHfrRZU4Xm8zOzIIfqZZvU1HWFc87i1xBAuvF7k0QLnZkXeom6ZAivMIeJYRE20IVtXUgBZRTbl6zTVs1TmFrR1iF0MWJ/BU2BcKEgLECCLpzLswJHR2Cvlalgb6lXdMuabpfeHZ8Mp5Q95Ug8LocrXfLvBU3MFglDAgMBAAGjODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCIw9ylhzQbavuKkf2W85pyA7dh4EmeahTvS3OJrmjh47vTetSOIsBwE2ABruTgfI4XaIN5RVkOUO3lF2Veb5U+NHYowrIqaAWnGJuidV9oChx7WS85OkDlJacvTQQVZWFrerb4m4+oDVLyNeLKiTe9zRK1KvFNZzm54lDn+1iP5XIF1Bs5819dUJpO3lNuB/LxonezKcJ6qtZnQN3vTpyc9QTClynRWUxbNIDXLZyiO+U0FFUsfk+/O0Un/x9nN9s3weAgg86bxGX1JWqXfSHbI0AIS2JRyl3LLM6s5R/I3fvHuUc99G/uakVCDzs+c6SkoprHfq2FnxcgKtD3txQj"
         ],
         "alg":"RSA-OAEP-256",
         "n":"wOk8mzUIinsuLhAh4xJmnb3TNlwISF1p_SU4bemlqAtPp76JzA8DIR6qUGjK5-yaMM72xFh8ytB4eA6GWyyexACtu4w2bVEZnC04gvTBxx6lreFmaJePtW1PvKfE7qL8DJcIhIkT_YVwsXFIGRcqIo9sKiTFtU561eWcdvwmogcFhRjhGGUqR360WVOF5vMzsyCH6mWb1NR1hXPO4tcQQLrxe5NEC52ZF3qJumQIrzCHiWERNtCFbV1IAWUU25es01bNU5ha0dYhdDFifwVNgXChICxAgi6cy7MCR0dgr5WpYG-pV3TLmm6X3h2fDKeUPeVIPC6HK13y7wVNzBYJQw"
      }
   ]
}

JWKS API#

HTTP Request#

Request Example#

Response Headers#

Response Body#