--- title: Get JWKS for Key Rotation Policy description: The GET {{apiPath}}/v1/environments/{envID}/keyRotationPolicies/{krpID}/jwks endpoint fetches the public keys of all KRP keys attached to a KRP in JWKS format. For more information, refer to RFC 7517. component: pingone-api page_id: pingone-api:platform:certificate-management/key-rotation-policies/get-jwks-for-key-rotation-policy canonical_url: https://developer.pingidentity.com/pingone-api/platform/certificate-management/key-rotation-policies/get-jwks-for-key-rotation-policy.html section_ids: headers: Headers example-request: Example Request example-response: Example Response --- # Get JWKS for Key Rotation Policy ## ```none GET {{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks ``` The `GET {{apiPath}}/v1/environments/{envID}/keyRotationPolicies/{krpID}/jwks` endpoint fetches the public keys of all KRP keys attached to a KRP in JWKS format. For more information, refer to [RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517). The following parameters are shown for each key: * `kty` The is the key type, which identifies the cryptographic algorithm family used with the key. Options are `RSA`. The `kty` parameter of enclosing `JWK` values will be consistent with the `algorithm` parameter of the `KrpKey`. * `e` This is the RSA public exponent parameter, which is used in the RSA Key blinding operation. * `kid` This is the key ID parameter, which is used to match a corresponding `kid` key value in the JWT token to validate the requestor and grant access to the specified API endpoint. The `kid` parameter of enclosing `JWK` values will refer to the UUID assigned to `KrpKeys` at creation time. These UUIDs are Type 1 (time-based) and therefore denote a chronological rotation order. * `use` This is the public key use parameter, which identifies the intended use of the public key. Options are `sig` (signature) and `enc` (encryption). The `use` parameter of enclosing `JWK` values must be consistent with `UsageType` assigned to the parent KRP. * `n` This is the RSA modulus parameter, which is used in the RSA Key blinding operation. * `x5t` This is an X.509 certificate SHA-1 thumbprint parameter, which is a base64url-encoded SHA-1 thumbprint of the DER encoding of an X.509 certificate. * `x5c` This is an X.509 certificate chain parameter, which is a chain of one or more PKIX certificates. ### Headers Authorization      Bearer {{accessToken}} ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks' \ --header 'Authorization: Bearer {{accessToken}}' ``` ```csharp var options = new RestClientOptions("{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Get); request.AddHeader("Authorization", "Bearer {{accessToken}}"); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "net/http" "io" ) func main() { url := "{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks" method := "GET" client := &http.Client { } req, err := http.NewRequest(method, url, nil) if err != nil { fmt.Println(err) return } req.Header.Add("Authorization", "Bearer {{accessToken}}") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http GET /v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks HTTP/1.1 Host: {{apiPath}} Authorization: Bearer {{accessToken}} ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("text/plain"); RequestBody body = RequestBody.create(mediaType, ""); Request request = new Request.Builder() .url("{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks") .method("GET", body) .addHeader("Authorization", "Bearer {{accessToken}}") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks", "method": "GET", "timeout": 0, "headers": { "Authorization": "Bearer {{accessToken}}" }, }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'GET', 'url': '{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks', 'headers': { 'Authorization': 'Bearer {{accessToken}}' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests url = "{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks" payload = {} headers = { 'Authorization': 'Bearer {{accessToken}}' } response = requests.request("GET", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks'); $request->setMethod(HTTP_Request2::METHOD_GET); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Authorization' => 'Bearer {{accessToken}}' )); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "net/http" url = URI("{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Get.new(url) request["Authorization"] = "Bearer {{accessToken}}" response = http.request(request) puts response.read_body ``` ```swift var request = URLRequest(url: URL(string: "{{apiPath}}/v1/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks")!,timeoutInterval: Double.infinity) request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization") request.httpMethod = "GET" let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 200 OK ```json { "keys": [ { "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "default", "x5c": [ "MIIDLDCCAhSgAwIBAgIGAWW17v5GMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRUwEwYDVQQKEwxQaW5nSWRlbnRpdHkxEzARBgNVBAMTCnByb2Qtb2F1dGgwHhcNMTgwOTA3MjEyNzQzWhcNMjMwOTA2MjEyNzQzWjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ08xDzANBgNVBAcTBkRlbnZlcjEVMBMGA1UEChMMUGluZ0lkZW50aXR5MRMwEQYDVQQDEwpwcm9kLW9hdXRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjgQ8twHSmSlT28I7iTi4+IsA3jgfhGPx0pIC27LTDf0q4wBE8Ap5dG7kqL9GE7zoxleghUs6APP0qKWaTxBSqxISzZmZpRQqipM+Tog3wgLciIbRozRHTXmCmzFJcG5spoe2XtcZ3zMRs9kkOUzxN2XMXHBidQKFB82/NjDwqhW/gdbS1vJLt1j9gjl60wvXcTwFzTkqh6owGjMCVFrraEv+H6XdhP4VMM7gsPOSD+IJke0CmQyVMVXVWoydahMLqLuz59HBUCYFcW0HVJLDMKJvNoFhY9xZW3oiVrNPP7COdv5+4SLq3EIi5WVd9TglYDQt2SmyDV36pcBPautKvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB42oNEjRUNRbMEnrQ6UyyyVu+DW6lL19RJoCasb4hRWe/YHr11xF3+JMObsaaRBA0/jJ7SAFiJxNpBC48ceXDK+mS3VbGDBj+Isi19Csa1HO0VpERKuNuaXmUGmJm4hkMcYFbnjC9+g/3bzDDiZWAiZUrqVA6HEj4MXb5/m7492msSFnhZ06qjAVj/qpRcVBIAIy1XCvTB2X913x4r+CjrWd0x3nHcjr2qfnmw96qPQU82MagWXenNNZbLpy+rDbWjYDB/bW3Rgp4704PLixar5gGR69x3JCvfr7N45oOYTQcZmTzsF75Ee2bsR2NXu1KvI7fLgLifz25V/eqYtjY" ], "alg": "RSA", "n": "jgQ8twHSmSlT28I7iTi4-IsA3jgfhGPx0pIC27LDf0q4wBE8Ap5dG7kqL9GE7zoxleghUs6APQ0qKWaTxBSqxISzZmZpRQqipM-Tog3wgLciIbRtyRHTXmCmzFJcG5spoe2XtcZ3zMRs9kkOUzxN2XMXHBidQKFB82_NjDwqhW_gdbS1vJLt1j9gjl60wvXcTwFzTkqh6owGjMCVFrraEv-H6XdhP4VMM7gsPOSD-IJke0CmQyVMVXVWoydahMLqLuz59HBUCYFcW0HVJLDMKJvNoFhY9xZW3oiVrNPP7COdv5-4SLq3EIi5WVd9TglYDQt2SmyDV36pcBPautKvQ" } ] } ```