RFC 7517 - JSON Web Key (JWK)

Published: May 2015
Status: Standards Track
Author: M. Jones (Microsoft)

---

Abstract

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.

---

Table of Contents

• 1. Introduction
  • 1.1 Notational Conventions
• 2. Terminology
• 3. Example JWK
• 4. JSON Web Key (JWK) Format
  • 4.1 "kty" (Key Type) Parameter
  • 4.2 "use" (Public Key Use) Parameter
  • 4.3 "key_ops" (Key Operations) Parameter
  • 4.4 "alg" (Algorithm) Parameter
  • 4.5 "kid" (Key ID) Parameter
  • 4.6 "x5u" (X.509 URL) Parameter
  • 4.7 "x5c" (X.509 Certificate Chain) Parameter
  • 4.8 "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter
  • 4.9 "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter
• 5. JWK Set Format
  • 5.1 "keys" Parameter
• 6. String Comparison Rules
• 7. Encrypted JWK and Encrypted JWK Set Formats
• 8. IANA Considerations
  • 8.1 JSON Web Key Parameters Registry
  • 8.2 JSON Web Key Use Registry
  • 8.3 JSON Web Key Operations Registry
  • 8.4 JSON Web Key Set Parameters Registry
  • 8.5 Media Type Registration
• 9. Security Considerations
  • 9.1 Key Provenance and Trust
  • 9.2 Preventing Disclosure of Non-public Key Information
  • 9.3 RSA Private Key Representations and Blinding
  • 9.4 Key Entropy and Random Values
• 10. References
  • 10.1 Normative References
  • 10.2 Informative References

Appendices

• Appendix A. Example JSON Web Key Sets
  • A.1 Example Public Keys
  • A.2 Example Private Keys
  • A.3 Example Symmetric Keys
• Appendix B. Example Use of "x5c" Parameter
• Appendix C. Example Encrypted RSA Private Key
  • C.1 Plaintext RSA Private Key
  • C.2 JOSE Header
  • C.3 Content Encryption Key (CEK)
  • C.4 Key Derivation
  • C.5 Key Encryption
  • C.6 Initialization Vector
  • C.7 Additional Authenticated Data
  • C.8 Content Encryption
  • C.9 Complete Representation
• Acknowledgements
• Author's Address

---

Related Resources

• Official Text: RFC 7517
• Official Page: RFC 7517 DataTracker
• Errata: RFC Editor Errata

JOSE RFC Series

• RFC 7515 - JSON Web Signature (JWS)
• RFC 7516 - JSON Web Encryption (JWE)
• RFC 7517 - JSON Web Key (JWK) ← This document
• RFC 7518 - JSON Web Algorithms (JWA)
• RFC 7519 - JSON Web Token (JWT)