/jwks.json
Issuer-managed key lookup metadata for verifying M7-signed tokens.
Endpoint
- Methods:
GETorHEAD - URL:
https://sso.user.m7.org/jwks.json - Response: JSON
Important behavior
This endpoint does not currently return a traditional enumerable JWKS set.
Instead, it returns lookup instructions that tell verifiers how to resolve a specific key by kid.
Current response shape
{
"issuer": "https://id.m7.org",
"template": "https://id.m7.org/api/v2/cert/kid/{kid}?response=jwk",
"comment": "Assume-breach model. Keys are held at the issuer and resolved per key to reduce blast radius under external compromise or insider-threat scenarios.",
"instructions": "Use the JWT header kid with the issuer template. Do not assume a single enumerable JWKS inventory."
}
How to use it
- Read the JWT header
kid - Substitute it into the
template - Fetch the JWK for that specific key
Notes
- Do not assume one static JWKS document containing every active signing key.
- If your JWT library expects a conventional JWKS set, you may need a small adapter layer.