Reference

GET /partner/v1/oauth/jwks

The JSON Web Key Set: the public keys that sign partner access tokens, so you can verify a token's signature, issuer and audience locally without calling introspection.

2 min read

GETHTTP method
OAuthAuth
partnerRing

Endpoint

MethodGET
Path/partner/v1/oauth/jwks
Ringpartner (OAuth key set)

Parameters

None. A public key-set read.

Response

A JWKS document — the public keys used to sign partner access tokens. Fetch it (and cache by kid) to verify a bearer JWT's signature, issuer and audience in your own resource server. Keys rotate; on an unknown kid, re-fetch the JWKS rather than rejecting the token outright. This is the local-verification counterpart to introspection.

Errors

Rate-limited on the token plane. Cache the response; do not fetch it per request.

Frequently asked questions

How do I handle key rotation?

Cache the JWKS keyed by kid. When you see a token signed with a kid you do not have, re-fetch the JWKS once and retry verification — do not reject on first miss, since it usually just means a key rotated.

Should I fetch the JWKS on every request?

No. Cache it and refresh periodically or on an unknown kid. Fetching per request wastes your rate-limit budget and adds latency to every verification.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.