2 min read
Endpoint
| Method | GET |
| Path | /partner/v1/oauth/jwks |
| Ring | partner (OAuth key set) |
Parameters
None. A public key-set read.
Response
A JWKS document — the public keys used to sign partner access tokens. Fetch it (and cache by kid) to verify a bearer JWT's signature, issuer and audience in your own resource server. Keys rotate; on an unknown kid, re-fetch the JWKS rather than rejecting the token outright. This is the local-verification counterpart to introspection.
Errors
Rate-limited on the token plane. Cache the response; do not fetch it per request.
Frequently asked questions
How do I handle key rotation?
Cache the JWKS keyed by kid. When you see a token signed with a kid you do not have, re-fetch the JWKS once and retry verification — do not reject on first miss, since it usually just means a key rotated.
Should I fetch the JWKS on every request?
No. Cache it and refresh periodically or on an unknown kid. Fetching per request wastes your rate-limit budget and adds latency to every verification.
Related reading

POST /partner/v1/oauth/token
The OAuth 2.0 token endpoint. Exchange client credentials for a short-lived bearer access token scoped to the…
Read →
POST /partner/v1/oauth/introspect
The OAuth 2.0 token-introspection endpoint. Check whether an access token is active and read its scopes,…
Read →
GET /.well-known/oauth-authorization-server
The OAuth 2.0 authorization-server metadata document (RFC 8414). Advertises the token endpoint, JWKS URI,…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.