Free, browser-based utilities for everyday developer workflows

Convert a JWK / JWKS to PEM

Turn a JSON Web Key (or a key from a JWKS endpoint) into a PEM public key — the format most JWT-verification libraries expect — without sending the key anywhere.

Open this example in JWK / JWKS / PEM

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in JWK / JWKS / PEM →

The problem

An identity provider publishes its signing keys as JWKS (a set of JWKs), but many JWT libraries verify with a PEM public key. Converting the JWK to PEM by hand means reconstructing the key from its modulus and exponent. A converter does the encoding so you get a usable PEM.

Sample input

JWK (RSA public key)
{
  "kty": "RSA",
  "kid": "2026-signing",
  "n": "0vx7ag...big-base64url-modulus...Cw",
  "e": "AQAB"
}

Expected output

PEM (truncated)
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A... (base64 DER) ...IDAQAB
-----END PUBLIC KEY-----

The modulus n and exponent e are encoded into a SubjectPublicKeyInfo DER structure and wrapped as a PEM PUBLIC KEY block — the form a verifier loads.

How to do it

  1. Paste the JWK, or one key from a JWKS set.
  2. Confirm the key type and that it is the public key.
  3. Convert it to PEM.
  4. Copy the PEM PUBLIC KEY block.
  5. Load the PEM into your JWT verification library.

Common mistakes

  • Pasting the whole JWKS and not selecting a single key by kid.
  • Expecting a private key from a public JWK.
  • Mismatching the kid, so verification uses the wrong key.
  • Confusing PEM PUBLIC KEY (SPKI) with an RSA PUBLIC KEY (PKCS#1) block.
  • Assuming the key never rotates — providers publish new kids over time.

Related tools

Related guides

FAQ

What is the difference between a JWK and a PEM?

A JWK is a JSON representation of a key; PEM is a base64-wrapped DER encoding. Many libraries verify JWTs with a PEM public key, so a JWK from a JWKS endpoint often needs converting.

How do I pick the right key from a JWKS?

A JWKS is an array of keys, each with a kid. Match the kid in the JWT header to the key in the set, then convert that one key.

Does converting expose my private key?

A public JWK only contains public parameters, so the PEM is a public key. The conversion also runs locally, so nothing is uploaded.

Why does my library reject the PEM?

Check whether it expects a SubjectPublicKeyInfo PUBLIC KEY block or a PKCS#1 RSA PUBLIC KEY block; they are different PEM headers for the same key.

Is my key uploaded?

No. The conversion runs locally in your browser. Your key is not sent to a server.

JWK to PEM conversion runs locally in your browser. Your key is never uploaded.

Explore more security and debugging tools

Convert keys, verify and decode tokens, inspect certificates and scan for secrets — grouped in one place.

View the security & debugging toolkit →