Free, browser-based utilities for everyday developer workflows

JWK / JWKS / PEM Converter

Convert PEM to JWK, JWK to PEM, build public-only JWKS files, compute RFC 7638 thumbprints, and match JWT kid values to keys locally in your browser.

  • Paste PEM public keys, PKCS#8 private keys, X.509 certificates, JWK, JWKS, or compact JWTs.
  • Validate key fields, remove private fields from JWK, and export a public-only JWKS for publishing.
  • Inspect x5c, x5t, and x5t#S256 metadata where local parsing is available.
  • Privacy: keys, certificates, JWTs, reports, snippets, and exports stay in this browser.

Paste PEM, JWK, JWKS, or JWT

Browser-only JWK converter. Remote JWKS, jku, and x5u URLs are never fetched automatically.

Detection Summary

Detected type-
Confidence-
Blocks / keys-
Publish status-

Workbench

Parsed keys and blocks

Converted output

How to use the JWK / JWKS / PEM Converter

Convert public and private keys between PEM and JWK, validate and clean up a JWKS for publication at .well-known/jwks.json, generate RFC 7638 kid thumbprints, and match a JWT's kid against a key set. Supports RSA, EC (P-256 / P-384 / P-521), and Ed25519. Useful for OAuth / OIDC providers, microservices doing token verification, and key rotation. Runs locally in your browser — no network calls, no remote JWKS fetches.

What it does

When to use it

How to use it

  1. Pick the operation: PEM → JWK, JWK → PEM, JWKS generator, kid thumbprint, or JWT ↔ JWKS match.
  2. Paste the input (PEM block, JWK JSON, or JWKS).
  3. Set optional fields (kid, use, alg) and choose public-only cleanup if publishing.
  4. Copy the converted output. For publication, host it at .well-known/jwks.json.
  5. For full token sign / verify, hand off to the JWT & OAuth Toolkit.

Tips & pitfalls

FAQ

Runs locally in your browser. No uploads. No remote JWKS fetches. Always strip private fields before publishing a JWKS.