Security & Auth
Processed locally in your browser

JWK / JWKS / PEM Converter

Convert PEM to JWK, JWK to PEM, build public-only JWKS files, compute RFC 7638 thumbprints, and match JWT kid values to keys locally in your browser.

Tool workspace

  • Paste PEM public keys, PKCS#8 private keys, X.509 certificates, JWK, JWKS, or compact JWTs.
  • Validate key fields, remove private fields from JWK, and export a public-only JWKS for publishing.
  • Inspect x5c, x5t, and x5t#S256 metadata where local parsing is available.
  • Privacy: keys, certificates, JWTs, reports, snippets, and exports stay in this browser.

Paste PEM, JWK, JWKS, or JWT

Browser-only JWK converter. Remote JWKS, jku, and x5u URLs are never fetched automatically.

Detection Summary

Detected type-
Confidence-
Blocks / keys-
Publish status-

Workbench

Parsed keys and blocks

Converted output

How to use the JWK / JWKS / PEM Converter

Convert public and private keys between PEM and JWK, validate and clean up a JWKS for publication at .well-known/jwks.json, generate RFC 7638 kid thumbprints, and match a JWT's kid against a key set. Supports RSA, EC (P-256 / P-384 / P-521), and Ed25519. Useful for OAuth / OIDC providers, microservices doing token verification, and key rotation. Runs locally in your browser — no network calls, no remote JWKS fetches.

What it does

When to use it

How to use it

  1. Pick the operation: PEM → JWK, JWK → PEM, JWKS generator, kid thumbprint, or JWT ↔ JWKS match.
  2. Paste the input (PEM block, JWK JSON, or JWKS).
  3. Set optional fields (kid, use, alg) and choose public-only cleanup if publishing.
  4. Copy the converted output. For publication, host it at .well-known/jwks.json.
  5. For full token sign / verify, hand off to the JWT & OAuth Toolkit.

Tips & pitfalls

FAQ

Runs locally in your browser. No uploads. No remote JWKS fetches. Always strip private fields before publishing a JWKS.

Related guides

Common tasks solved by this tool

Continue in a security debugging workflow

Chain this into related tools, or build it as a saved workflow in Workflows.

  1. Convert the key between JWK, JWKS and PEM — this tool
  2. Decode a JWT signed by the key
  3. Verify webhook signatures
  4. Inspect related certificates

Part of the security and debugging toolkit

Sanitize logs, verify signatures, decode tokens and inspect certificates locally before sharing sensitive debugging data.