# `Attesto.JWKS`
[🔗](https://github.com/XukuLLC/attesto/blob/v0.13.0/lib/attesto/jwks.ex#L1)

RFC 7517 - publish the signing keys' public halves as a JWK Set.

A resource server (or a mobile / third-party client) that wants to
verify Attesto-issued tokens without sharing a secret fetches a JWK Set
from the issuer's `jwks_uri`, then selects the key whose `kid` matches
the token's JWS header. This module builds that set from a keystore: for
every verification key it derives the public JWK, stamps the RFC 7638
`kid` Attesto signs with, and marks it `use: "sig"` plus the key's
configured or inferred `alg`.

Because the set carries every key in `verification_pems/0`, it covers a
rotation window: tokens minted under the outgoing key still verify
against the set while the incoming key is also published.

The result is a plain map (`%{"keys" => [...]}`) ready to serialise as
the JSON body of a `/.well-known/jwks.json` (or equivalent) endpoint.
Only public key material is emitted; private components never appear.

# `from_config`

```elixir
@spec from_config(Attesto.Config.t()) :: %{required(String.t()) => [map()]}
```

Build the JWK Set from a `Attesto.Config`'s keystore.

Equivalent to `from_pems/1` over `config.keystore.verification_pems()`,
while preserving any per-key algorithm metadata the keystore exposes.

# `from_keystore`

```elixir
@spec from_keystore(module()) :: %{required(String.t()) => [map()]}
```

Build the JWK Set from a keystore module.

# `from_pems`

```elixir
@spec from_pems([String.t()]) :: %{required(String.t()) => [map()]}
```

Build the JWK Set from a list of PEMs (private or public; only the
public half is published).

Returns `%{"keys" => [jwk, ...]}` where each `jwk` is the public JWK
with `kid` (RFC 7638 thumbprint), `use: "sig"`, and an inferred `alg`.
Duplicate keys (same `kid`) are de-duplicated so a key listed twice in
the verification set appears once in the published set.

---

*Consult [api-reference.md](api-reference.md) for complete listing*