Run this tool instantly in your browser. No signup and no server-side processing.

Public Key JWK Helper

Convert public PEM/SPKI keys and JWKs locally, inspect key metadata, and compute RFC 7638 thumbprints without uploading key material.

Input format

Output format

Source public key

Converted key

Related Tools

Certificate Decoder

Decode PEM-encoded X.509 certificates and inspect all details locally.

JWT Signature Verifier

Verify JWT signatures (HMAC) and validate claims — all client-side.

JWT Workbench

Encode, decode, and verify JWT tokens in one local-first workspace.

Base64 Encode/Decode

Encode text to Base64 format or decode it back to a readable string.

ASN.1/DER Inspector

Parse DER, PEM, Base64, or hex encoded ASN.1 data locally and inspect TLV structure, tag names, lengths, OIDs, strings, and nested containers.

Public Key JWK Helper: complete usage guide

Convert public PEM/SPKI keys and public JWK objects locally, inspect key metadata, and calculate RFC 7638 SHA-256 thumbprints for authentication, token verification, and key-distribution debugging workflows.

What this tool does

It imports SPKI public key PEM blocks and exports equivalent public JWK JSON for systems that use JSON Web Keys.

It imports public RSA, EC, and supported OKP JWKs and exports standard PUBLIC KEY PEM output for OpenSSL-style tooling.

It shows algorithm, curve or modulus details, key operations, key ID, and a deterministic JWK thumbprint for comparison across systems.

It rejects private and symmetric JWK material so the helper stays focused on public key review rather than secret handling.

Typical use cases

Convert an identity provider public JWK into PEM before testing a JWT verification library.
Convert a public PEM key into JWK before publishing a JWKS document or writing integration fixtures.
Compare RFC 7638 thumbprints when a key identifier differs between environments.
Document public key rotation checks in auth, SSO, and API security runbooks.
Verify that copied public keys are parseable before debugging token signature failures.

Input examples

SPKI public key PEM

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD...
-----END PUBLIC KEY-----

EC public JWK

{"kty":"EC","crv":"P-256","x":"...","y":"..."}

RSA public JWK

{"kty":"RSA","n":"...","e":"AQAB","kid":"auth-key-2026-01"}

Output examples

Public JWK output

{
  "kty": "EC",
  "crv": "P-256",
  "x": "...",
  "y": "..."
}

PEM output

-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----

Thumbprint summary

JWK thumbprint (SHA-256): K8JlQcU6WJq4MFbMa0cEFADDTOMRrrG1yj0K3Xs2-4g

Common errors and fixes

Private JWK pasted into a public-key helper

Export only the public portion of the key before converting or sharing examples.

PKCS#1 RSA PUBLIC KEY pasted instead of SPKI PUBLIC KEY

Convert to standard SPKI PUBLIC KEY PEM before importing.

Key operations missing after PEM round trip

Remember that PEM carries public key material but not JWK metadata such as kid, use, or key_ops.

Wrong curve expected by verifier

Compare the exported JWK crv value with the algorithm configured in your JWT or WebCrypto verifier.

Thumbprint differs from service documentation

Confirm the service uses RFC 7638 canonical public-key members rather than a vendor-specific fingerprint.

Security and privacy notes

Conversion and thumbprint calculation run locally in the browser without network access.
The tool is intended for public keys only; do not paste private keys or symmetric secrets.
Public keys can still reveal internal infrastructure names through kid values, so redact environment-specific identifiers before sharing screenshots.
Use certificate and JWKS publication controls outside this helper when rotating production trust material.

Step-by-step workflow

Feed Public Key JWK Helper the smallest reproducible sample you can collect from the real issue.
Review the first findings and separate confirmed signals from assumptions or environment-specific noise.
Compare a clean baseline sample against the problematic input when you need to isolate regressions.
Keep one redacted output snapshot with the key findings for tickets, runbooks, or incident handoff.

Quality checklist before sharing output

Confirm Public Key JWK Helper findings still reproduce with the same input and assumptions.
Check that the sample includes enough surrounding context to support the conclusion you are drawing.
Translate notable findings into concrete next checks, ownership, or remediation notes.
Redact private hosts, tokens, certificates, or customer identifiers before sharing analysis output.

Operational notes

Public Key JWK Helper is most effective when it produces a focused, reproducible evidence bundle that can be handed to the next engineer without extra cleanup.