Get the JSON Web Key Set (JWKS) for a project.

JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both key sets will be returned by this endpoint for a period of 1 month.

JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is determined by matching the kid value of the JWT and JWKS.

If you're using one of our backend SDKs, the JWKS roll will be handled for you.

If you're using your own JWT validation library, many have built-in support for JWKS rotation, and you'll just need to supply this API endpoint. If not, your application should decide which JWKS to use for validation by inspecting the kid value.

See our How to use Stytch Session JWTs guide for more information.

Path parameters


Response fields



curl --request GET \
  --url \
  -H 'Content-Type: application/json'


    "status_code": 200,
    "keys": [
            "alg": "RS256",
            "e": "example-e",
            "key_ops": ["verify"],
            "kid": "example-key-id",
            "kty": "RSA",
            "n": "example-n",
            "use": "sig",
            "x5c": ["example-x5c"],
            "x5tS256": "example-x5tS256",