Search code examples

Where is the Google Public Key for JWT validation?

I have an Angular11 UI front-end utilizing Google's RS256 authentication by

  1. import { SocialAuthService, GoogleLoginProvider, SocialUser } from 'angularx-social-login';
  2. in app.module.ts adding providers: [{ id: GoogleLoginProvider.PROVIDER_ID, provider: new GoogleLoginProvider('my Google-Client-ID')}]

When Google sends me back the JWT token, I send it to my NodeJS App server to establish a JWT-based communication for the session, so this NodeJS App server must validate this JWT. According to this article section "Leveraging RS256 Signatures",

Instead of installing the public key on the Application server, it's much better to have the Authentication server publish the JWT-validating public key in a publicly accessible Url.

I found this JWK (not JWT) link from Google Identity by Erji. Is this the right public key?


  • Its not exactly an x509 cerificate, but yes that is the JWK is used to validate a given signed JWT.

    If we check out the .well-known endpoint found in Googles documentation

    It points us to,

    jwks_uri    ""

    For the JWKs which contains the currently valid keys for validating a signed JWT. The public key can be built of the information contained in the JWK endpoint

    The n in is the key itself, the alg is the signing algorithm, and the kid is the key identifier.

    RFC7517 defines the JWK standard and has full details on the fields