What is the difference between JWK and PEM format?

**PEM** is the classic OpenSSL format: a base64 blob between `-----BEGIN-----` / `-----END-----` lines. Native to nginx, Apache, OpenSSL CLI, most Unix tooling. **JWK (JSON Web Key)** is the JSON-native format defined by RFC 7517 and used everywhere in OAuth 2.0 and OpenID Connect, including JWKS endpoints. Same key material, two presentations. Most modern auth libraries (`jose` in Node, `PyJWT`, `go-jose`, Microsoft.IdentityModel) accept both; some legacy SDKs are PEM-only. We give you both because you usually need PEM for the server that signs and JWK for the JWKS document that other services fetch.

What is the "kid" header and why does it matter?

The **kid (key id)** is a short label in the JWT header that tells a verifier which public key to use, when the issuer rotates between several. A JWKS endpoint typically returns multiple keys (the current one plus the recently retired one during a rotation window), each tagged with a unique kid. The verifier reads `header.kid` from the incoming JWT, finds the matching public key in the JWKS, and uses that one. Without a kid, rotation gets painful: the verifier has to try every published key. We auto-generate a 12-character base64url kid for every keypair and put the same kid in the JWK and the sample JWT header so the chain is immediately consistent.

Why is RS256 the most common choice?

**RS256 = RSA-SHA256**, RSA-PKCS#1 v1.5 signatures over a SHA-256 hash. It is the **default for Auth0, Okta, Keycloak, AWS Cognito, Azure AD, Google Identity Platform**, and roughly every OAuth provider you have ever logged into. The reason is historical (RSA has been the default public-key algorithm for two decades) and practical (every JWT library on every platform supports it well, even very old ones). It is not the smallest, not the fastest, and PKCS#1 v1.5 is no longer considered the cryptographically cleanest choice, but it is the safest pick for compatibility. If you have no constraints, use RS256.

When should I pick ES256 over RS256?

**ES256 = ECDSA on P-256 with SHA-256**. The signatures and keys are much smaller: an ES256 public key is roughly **91 bytes** vs an RS256 2048-bit key at roughly **294 bytes**, and an ES256 signature is **64 bytes** vs RS256 at **256 bytes**. That translates into tokens that are **hundreds of bytes shorter**, which matters in mobile networks, IoT, and cookies (where size limits bite). Verification is also faster on most CPUs. The trade-off: ECDSA needs a **good random number generator** at signing time (a broken RNG can leak the private key, the famous Sony PS3 incident). On modern Node servers that is not a real risk, but it is the reason cautious shops still prefer RSA.

What is the difference between PS256 and RS256?

Both use RSA keys, both produce 256-bit security. The difference is the padding scheme. **RS256** uses **PKCS#1 v1.5**, a deterministic padding from 1998 that is well-understood but has had a long history of implementation pitfalls (Bleichenbacher attacks against TLS, signing oracles). **PS256** uses **RSA-PSS** (Probabilistic Signature Scheme), the modern padding standardised in PKCS#1 v2.1, which has a **provable security reduction** and uses randomness at signing time so two signatures of the same message differ. **PS256 is cryptographically cleaner** and is what NIST recommends for new RSA-based protocols. The catch: some older verifiers do not implement PS256. If you control both ends, use PS256. If you have to interop with the wider ecosystem, RS256.

Why is EdDSA called the modern choice?

**EdDSA (Ed25519 in the JWS context)** was designed by a team led by Daniel Bernstein to fix the foot-guns that have haunted ECDSA: it is **deterministic** (no RNG required at signing time, so no risk of the Sony-style leak), has **the smallest keys and signatures of any common algorithm** (32-byte public key, 64-byte signature), is **the fastest** to sign and verify on commodity hardware, and is **constant-time by construction** (no easy timing side channels). The OpenSSH project moved to it as the default in 2014; TLS 1.3 adopted it; the JWS spec added it in RFC 8037. The only reason it is not the universal default is library age, lots of older JWT libraries still do not support it. For new systems with modern dependencies (Node 14+, Go 1.13+, recent Python, recent .NET), pick EdDSA.

Which RSA key size should I pick: 2048, 3072, or 4096?

**2048-bit is the right answer for almost everyone**. NIST considers 2048-bit RSA equivalent to **~112-bit security**, which is the floor for keys protecting data through 2030. **3072-bit** bumps that to ~128-bit, the same level as P-256 / Ed25519. **4096-bit** offers ~152-bit security but **signs roughly 3 to 4 times slower** than 2048-bit, which can become a real CPU bill on busy auth servers minting millions of tokens per day. Pick 2048 unless you have a compliance requirement that demands 3072+. Going to 4096 only delays the day you migrate to elliptic curves, which is the actual long-term answer.

How do I rotate JWT signing keys without breaking active sessions?

The clean **dual-key rotation** pattern: (1) generate a new keypair with a new **kid**; (2) **publish both keys** in your JWKS so any verifier sees the old one plus the new one; (3) **wait for cache propagation** (most verifiers cache JWKS for 1 to 24 hours); (4) **switch the signer** to the new key; (5) **wait until the longest-lived token signed with the old key expires** (typically 1 hour for access tokens, longer for refresh tokens); (6) **remove the old key** from the JWKS. The whole sequence takes a day or two for typical access tokens and a week or two if you also issue long-lived refresh tokens. The kid header is what makes this safe: every token carries the id of the key that signed it, so the verifier always knows which one to use.

Why generate keys on a server, why not in the browser?

You **can** generate keypairs in the browser with the Web Crypto API, and for one-off testing that is fine. But for production keys we run it server-side for two practical reasons. First, the **entropy pool** on a server is generally healthier than in a random visitor browser, especially on devices with weak RNG (old Android, some embedded clients). Second, server-side gives a **single, audited code path** for every algorithm including EdDSA and P-521, where browser implementations have historically lagged. The keys never leave our memory after the response is sent, we do not log them, and the response is TLS-encrypted on the way to you. If you want the strongest possible isolation, **run `openssl` locally** or `ssh-keygen -t ed25519` and skip every web tool, including this one.

JWT Keypair Generator - free

What a JWT keypair is

A JWT is an authentication token your server hands out to logged-in users so they can prove who they are on every later request. The server signs the token with a private key, the client sends it back on each request, and any service holding the matching public key can verify the signature was real and the payload was not modified in transit.

To make all of that work you need a keypair: a private key that lives on the server doing the signing, and a public key that you share (often as a JWK document published at `/.well-known/jwks.json`) so verifiers can check the signature without ever seeing the secret.

This tool generates that keypair for any modern signing algorithm: RS256/RS384/RS512 (classic RSA), PS256 (RSA-PSS, the safer RSA variant), ES256/ES384/ES512 (elliptic curve), or EdDSA (Ed25519, the smallest and fastest). You get the keys in both PEM and JWK formats, plus a sample signed JWT you can immediately decode in the JWT decoder to see the full round trip. Generated server-side with Node's built-in `crypto`, never stored.

How to use it

Pick an algorithm. RS256 is the default for most setups (Auth0, Okta, Keycloak, and AWS Cognito all default to it). ES256 gives much smaller tokens. EdDSA is the modern darling: smallest keys, fastest signing, simplest implementation.
For RSA family (RS256, RS384, RS512, PS256): pick a key size. 2048-bit is the sane default. 3072-bit and 4096-bit get exponentially slower with negligible real-world security gain.
For EC family (ES256, ES384, ES512): the curve is chosen for you automatically (P-256, P-384, P-521 respectively). These are the only curves RFC 7518 allows for each algorithm.
For EdDSA: we always use Ed25519, the curve standardised by RFC 8037 for JWS. There are no knobs to turn here.
Click Generate. We return: the private key in PEM, the public key in PEM, the private key as a JWK, the public key as a JWK, plus a sample signed JWT with a tiny payload (`sub: user-123`, valid for 1 hour) so you can verify end-to-end that the keys work.
Save the private key now. We never store it. Closing this tab loses it forever. Install it on your auth server, your API gateway, or wherever you mint tokens.
Publish the public key as a JWKS document at `https://your-domain.com/.well-known/jwks.json`. Most libraries (jose, jsonwebtoken, PyJWT, Microsoft.IdentityModel) can fetch and cache that URL automatically.
Click Open in decoder next to the sample JWT to see the header, payload, and signature parsed live in the JWT decoder. Confirm the kid in the header matches the JWK you published.

When this is useful

Six common situations where a fresh JWT signing keypair earns its keep:

Setting up a new auth service (Keycloak, Ory Hydra, Auth0 self-hosted, a homegrown OAuth server, an internal API gateway). You need the keypair before you can mint a single token.
Migrating from HS256 to RS256/ES256/EdDSA. HS256 uses a shared secret which forces every verifier to hold the signing power. Asymmetric algorithms let you keep the private key on the auth server and hand the public key out freely. This is the standard upgrade path for any system that grows past one service.
Key rotation every 3 to 12 months as a security hygiene practice. Generate a new key under a new kid, publish both keys in your JWKS, switch the signer to the new key, retire the old one after the grace period.
Suspected key compromise. Server breach, accidental commit of the PEM to a public repo, ex-employee with key access. Generate a new keypair, rotate, revoke the old kid in JWKS, force-logout active sessions.
Multi-issuer architectures. Each service mints its own tokens; each gets its own keypair so their compromise blast radii are independent.
Testing and demos. Need a working JWT to test a verifier library? Generate a keypair, sign the sample, and you have a real end-to-end example in one click.

Related tools: JWT decoder (decode and inspect any JWT), DKIM keypair generator, bcrypt verify, password hash, UUID generator.

Questions and answers

A JWT (JSON Web Token) is a compact, URL-safe string made of three base64-encoded parts joined by dots: `header.payload.signature`. The header says which algorithm signed the token. The payload holds the claims (who the user is, when the token expires, what scopes they have). The signature is the proof that the issuer really minted this exact header and payload. To sign a JWT you need a private key. To verify it without leaking signing power, others need the matching public key. Symmetric algorithms (HS256, HS384, HS512) use a single shared secret instead, which is fine for one self-contained service but breaks down the moment a second service has to verify your tokens.

What a JWT keypair is

How to use it

Pick an algorithm. RS256 is the default for most setups (Auth0, Okta, Keycloak, and AWS Cognito all default to it). ES256 gives much smaller tokens. EdDSA is the modern darling: smallest keys, fastest signing, simplest implementation.

For RSA family (RS256, RS384, RS512, PS256): pick a key size. 2048-bit is the sane default. 3072-bit and 4096-bit get exponentially slower with negligible real-world security gain.

For EC family (ES256, ES384, ES512): the curve is chosen for you automatically (P-256, P-384, P-521 respectively). These are the only curves RFC 7518 allows for each algorithm.

For EdDSA: we always use Ed25519, the curve standardised by RFC 8037 for JWS. There are no knobs to turn here.

Click Generate. We return: the private key in PEM, the public key in PEM, the private key as a JWK, the public key as a JWK, plus a sample signed JWT with a tiny payload (`sub: user-123`, valid for 1 hour) so you can verify end-to-end that the keys work.

Save the private key now. We never store it. Closing this tab loses it forever. Install it on your auth server, your API gateway, or wherever you mint tokens.

Publish the public key as a JWKS document at `https://your-domain.com/.well-known/jwks.json`. Most libraries (jose, jsonwebtoken, PyJWT, Microsoft.IdentityModel) can fetch and cache that URL automatically.

Click Open in decoder next to the sample JWT to see the header, payload, and signature parsed live in the JWT decoder. Confirm the kid in the header matches the JWK you published.

When this is useful

Six common situations where a fresh JWT signing keypair earns its keep:

Setting up a new auth service (Keycloak, Ory Hydra, Auth0 self-hosted, a homegrown OAuth server, an internal API gateway). You need the keypair before you can mint a single token.
Migrating from HS256 to RS256/ES256/EdDSA. HS256 uses a shared secret which forces every verifier to hold the signing power. Asymmetric algorithms let you keep the private key on the auth server and hand the public key out freely. This is the standard upgrade path for any system that grows past one service.
Key rotation every 3 to 12 months as a security hygiene practice. Generate a new key under a new kid, publish both keys in your JWKS, switch the signer to the new key, retire the old one after the grace period.
Suspected key compromise. Server breach, accidental commit of the PEM to a public repo, ex-employee with key access. Generate a new keypair, rotate, revoke the old kid in JWKS, force-logout active sessions.
Multi-issuer architectures. Each service mints its own tokens; each gets its own keypair so their compromise blast radii are independent.
Testing and demos. Need a working JWT to test a verifier library? Generate a keypair, sign the sample, and you have a real end-to-end example in one click.

Related tools: JWT decoder (decode and inspect any JWT), DKIM keypair generator, bcrypt verify, password hash, UUID generator.

Questions and answers

JWT Keypair Generator

What a JWT keypair is

How to use it

When this is useful

Questions and answers

Related tools

JWT decoder

DKIM Keypair Generator

Bcrypt Verify

Password Hashes: MD5, SHA, bcrypt

UUID Generator

JWT Keypair Generator

What a JWT keypair is

How to use it

When this is useful

Questions and answers

Related tools

JWT decoder

DKIM Keypair Generator

Bcrypt Verify

Password Hashes: MD5, SHA, bcrypt

UUID Generator