Skip to main content
Use these endpoints when you verify Clawb-issued JWT credentials locally.

GET /.well-known/openid-configuration

Returns issuer metadata and JWKS URL.

Auth

No auth required. 
curl -sS https://api.clawb.ai/api/.well-known/openid-configuration

Example response

{
  "issuer": "https://api.clawb.ai/api",
  "jwks_uri": "https://api.clawb.ai/api/.well-known/jwks.json",
  "id_token_signing_alg_values_supported": ["EdDSA"],
  "subject_types_supported": ["public"],
  "response_types_supported": ["token"]
}

GET /.well-known/jwks.json

Canonical JWKS endpoint that returns active and previous issuer public keys in JWK format.

Auth

No auth required. 
curl -sS https://api.clawb.ai/api/.well-known/jwks.json

Example response

{
  "keys": [
    {
      "kty": "OKP",
      "crv": "Ed25519",
      "alg": "EdDSA",
      "use": "sig",
      "kid": "kid_01abc...",
      "x": "11qYAYLef..."
    }
  ]
}

Operational notes

  • Cache headers are intentionally short so key rotation propagates quickly.
  • Prefer resolving kid from JWT header and selecting that exact JWK.
  • Keep a fallback strategy when key lookup fails (refresh JWKS, then retry once).