Security News
Crates.io Implements Trusted Publishing Support
Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.
By Sarah Gooding - Jul 16, 2025
You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP →
What is jwks-rsa?
The jwks-rsa npm package is a library that helps to retrieve RSA signing keys from a JWKS (JSON Web Key Set) endpoint. It is primarily used in scenarios where you need to verify the signature of JSON Web Tokens (JWTs) against public keys published in a JWKS. This is common in modern authentication flows, especially those implementing OpenID Connect.
What are jwks-rsa's main functionalities?
Retrieving RSA signing keys
This feature allows you to retrieve RSA signing keys from a JWKS endpoint. The `getSigningKey` method is used to fetch the key using the `kid` (key ID) from the JWT header. This is useful for verifying JWT signatures.
const jwksClient = require('jwks-rsa');
const client = jwksClient({
jwksUri: 'https://your-domain.com/.well-known/jwks.json'
});
function getKey(header, callback){
client.getSigningKey(header.kid, function(err, key) {
var signingKey = key.publicKey || key.rsaPublicKey;
callback(null, signingKey);
});
}Integrating with Express.js for JWT authentication
This code snippet demonstrates how to use jwks-rsa with express-jwt middleware for securing Express.js applications. The `expressJwtSecret` method is used to dynamically provide a signing key based on the incoming JWT's `kid`.
const jwt = require('express-jwt');
const jwksRsa = require('jwks-rsa');
const checkJwt = jwt({
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: 'https://your-domain.com/.well-known/jwks.json'
}),
audience: 'your-audience',
issuer: 'https://your-domain.com/',
algorithms: ['RS256']
});Other packages similar to jwks-rsa
node-jose
A package for JavaScript Object Signing and Encryption (JOSE) and JSON Web Token (JWT) implementation. It offers similar functionalities for handling JWKS but is more comprehensive in terms of JOSE standards support, including encryption and decryption capabilities, which jwks-rsa does not directly offer.
jsonwebtoken
This package is primarily focused on creating and verifying JSON Web Tokens (JWTs). While it doesn't directly handle JWKS, it is often used in conjunction with libraries like jwks-rsa for verifying JWT signatures against public keys obtained from a JWKS endpoint.
jwks-rsa
A library to retrieve RSA signing keys from a JWKS (JSON Web Key Set) endpoint.
npm install --save jwks-rsa
Usage
You'll provide the client with the JWKS endpoint which exposes your signing keys. Using the getSigningKey you can then get the signing key that matches a specific kid.
const jwksClient = require('jwks-rsa');
const client = jwksClient({
strictSsl: true, // Default value
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json',
requestHeaders: {}, // Optional
requestAgentOptions: {}, // Optional
proxy: '[protocol]://[username]:[pass]@[address]:[port]', // Optional
});
const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg';
client.getSigningKey(kid, (err, key) => {
const signingKey = key.getPublicKey();
// Now I can use this to configure my Express or Hapi middleware
});
Integrations are also provided with:
Caching
By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint. If a signing key matching the kid is found, this will be cached and the next time this kid is requested the signing key will be served from the cache. The caching behavior can be configured as seen below:
const jwksClient = require('jwks-rsa');
const client = jwksClient({
cache: true, // Default Value
cacheMaxEntries: 5, // Default value
cacheMaxAge: ms('10m'), // Default value
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json'
});
const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg';
client.getSigningKey(kid, (err, key) => {
const signingKey = key.getPublicKey();
// Now I can use this to configure my Express or Hapi middleware
});
Rate Limiting
Even if caching is enabled the library will call the JWKS endpoint if the kid is not available in the cache, because a key rotation could have taken place. To prevent attackers to send many random kids you can also configure rate limiting. This will allow you to limit the number of calls that are made to the JWKS endpoint per minute (because it would be highly unlikely that signing keys are rotated multiple times per minute).
const jwksClient = require('jwks-rsa');
const client = jwksClient({
rateLimit: true,
jwksRequestsPerMinute: 10, // Default value
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json'
});
const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg';
client.getSigningKey(kid, (err, key) => {
const signingKey = key.getPublicKey();
// Now I can use this to configure my Express or Hapi middleware
});
Using AgentOptions for TLS/SSL Configuration
The requestAgentOptions property can be used to configure SSL/TLS options. An
example use case is providing a trusted private (i.e. enterprise/corporate) root
certificate authority to establish TLS communication with the jwks_uri.
const jwksClient = require("jwks-rsa");
const client = jwksClient({
strictSsl: true, // Default value
jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json',
requestHeaders: {}, // Optional
requestAgentOptions: {
ca: fs.readFileSync(caFile)
}
});
For more information, see the NodeJS request library agentOptions
documentation.
Running Tests
npm run test
Showing Trace Logs
To show trace logs you can set the following environment variable:
DEBUG=jwks
Output:
jwks Retrieving keys from http://my-authz-server/.well-known/jwks.json +5ms
jwks Keys: +8ms [ { alg: 'RS256',
kty: 'RSA',
use: 'sig',
x5c: [ 'pk1' ],
kid: 'ABC' },
{ alg: 'RS256', kty: 'RSA', use: 'sig', x5c: [], kid: '123' } ]
License
This project is licensed under the MIT license. See the LICENSE file for more info.
[1.7.0] - (2020-02-18)
This release includes a change to the default caching mechanism. Caching is on now by default, with the decrease of the default time of 10hours to 10minutes. This change introduces better support for signing key rotation.
Added
Changed
- [SDK-1221] Modify Cache Defaults #123 (davidpatrick)
Fixed
- Add Linter step to CI #129 (davidpatrick)
- Send the explicit commit SHA to Codecov #128 (lbalmaceda)
FAQs
Library to retrieve RSA public keys from a JWKS endpoint
The npm package jwks-rsa receives a total of 3,570,866 weekly downloads. As such, jwks-rsa popularity was classified as popular.
We found that jwks-rsa demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 45 open source maintainers collaborating on the project.
Package last updated on 18 Feb 2020
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users
Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.
By Olivia Brown - Jul 15, 2025
Research
/Security News
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader
North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.
By Kirill Boychenko - Jul 14, 2025