API ReferenceOAuth 2.1 / OIDC
JWKS Endpoint
Retrieve the public JSON Web Key Set used to verify JWT signatures from Avnology ID.
Endpoint
GET /.well-known/jwks.jsonBase URL: https://api-id.avnology.net
Authentication: None required (public endpoint)
Returns the public keys used to sign JWTs (access tokens and ID tokens). Use these keys to verify token signatures locally without calling the introspection endpoint.
Request
curl https://api-id.avnology.net/.well-known/jwks.jsonResponse
Success (200 OK)
{
"keys": [
{
"kty": "RSA",
"kid": "avnl-rsa-2026-04",
"use": "sig",
"alg": "RS256",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e": "AQAB"
}
Keys are rotated periodically. Your application should cache the JWKS response and refresh it when encountering a JWT with an unknown kid.
Verifying JWTs Locally
JavaScript (jose)
import { createRemoteJWKSet, jwtVerify } from 'jose';
const JWKS = createRemoteJWKSet(new URL('https://api-id.avnology.net/.well-known/jwks.json'));
async function verifyToken(token) {
const { payload } = await jwtVerify
Python (PyJWT)
import jwt
import httpx
def verify_token(token: str, audience: str) -> dict:
jwks = httpx.get("https://api-id.avnology.net/.well-known/jwks.json").json()
public_keys =
Go (go-jose)
import "github.com/go-jose/go-jose/v4"
func verifyToken(token string) (*jwt.Claims, error) {
resp, _ := http.
Related
- Discovery -- find the JWKS URL programmatically
- Introspect Token -- server-side token validation