JWK Generator — Convert PEM to JWK & Generate JWKS

Generate and convert cryptographic keys in PEM and JWK formats for secure signing and encryption.

Our lightweight JWK generator runs entirely in your browser — no keys leave your machine. Use it to convert PEM to JWK, convert JWK to PEM, or generate new keys and export a JWKS for your jwks_uri endpoint.
Learn more: What is JWKS
See source code: https://github.com/authgear/authgear-widget-jwk-generator

PEM to JWK
Paste a PEM-encoded key or X.509 certificate, set kid, choose alg and use (sig / enc), then click Generate JWK. This converts PEM → JWK in the standard jwk format so you can add the JWK to a JWKS or plug it directly into JOSE libraries (Node jose, Python jwcrypto, etc.).
JWK to PEM
Paste a JWK JSON object and export a PEM formatted key for CLIs, servers, or legacy tooling. Use JWK to PEM when you need a PEM public key for OpenSSL or server-side libraries while maintaining kid, alg, and use metadata in your JWK set.
Generate JWK
Create new keys with the JWK generator mode. Choose key use (signature sig or encryption enc), key type (RSA, EC, OKP, or oct), and configure size/curve/parameters. The generator suggests alg values and auto-generates a kid you can edit. Output options include a single JWK or a full JWKS (jwks.json) ready to host.

How the JWK Generator Works

Step 1.
Convert Between PEM and JWK:
  • Paste your PEM key to convert it into a JSON Web Key format or vice versa.
  • Copy the converted key for use in your applications.
Why use PEM → JWK?
  • Many libraries and identity platforms expect JWK/JWKS. Converting PEM to JWK makes your keys consumable by JWT verification flows and by any service that reads a jwks.json at a jwks_uri.
Step 2.
Generate New Keys:
  • Select whether you want a key for signature or encryption tasks.
  • Choose the key type suitable for your security needs, such as symmetric (oct), RSA, or elliptic curve (EC or OKP).
  • Pick the cryptographic algorithm to match your system requirements (e.g., RS256 for RSA signature).
  • Receive the generated keys:Symmetric:
  • a. Secret key string + JWK JSON.
  • b. Asymmetric: PEM-formatted private and public keys + corresponding JWK objects for private and public key parts.
Step 3.
Use Your Keys Securely:
  • Implement these keys to sign or encrypt JWTs.
  • Host JWK sets on your authorization servers for key discovery.
  • Rotate and manage keys easily for robust security posture.

Ready to Supercharge Your Authentication?

Experience seamless, secure, and scalable identity management with Authgear.

Get Started for Free

What is a JWK (JSON Web Key)?

A JWK is a JSON data structure that represents a cryptographic key. A JWKS (JSON Web Key Set) is an object with a keys array of JWKs. JWKS is the standard format used by identity providers to publish public keys at a jwks_uri so clients can validate JWT tokens (see RFC 7517). If you searched “what is jwks” or “jwks uri”, this is the format you need.
Machine-friendly JSON format, easy to use across web APIs
Supports all key types—symmetric and asymmetric
Facilitates key rotation and management for modern applications

What is PEM

PEM (Privacy Enhanced Mail) is the base64-encoded format commonly used to store and share cryptographic keys and certificates. Use PEM to JWK conversions to make PEM keys consumable by JWKS endpoints and modern JOSE libraries.

Best Practices

Never use generated private keys in production. For production, generate and store private keys in a secure HSM or KMS.
Use appropriate key sizes and modern algorithms (e.g., Ed25519 when supported).
Host JWKS over HTTPS at a stable jwks_uri and rotate keys regularly — publish new keys with new kid values and remove deprecated keys safely.
Include kid and alg metadata in your JWKs so clients can select the right key when verifying JWTs.