Skip to content

Public JWKS

Endpoints

  • JWKS (recommended): https://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkeys.jwks
  • PEM (legacy): https://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkey.pem

The JWKS is a standard RFC 7517 JSON Web Key Set:

{
"keys": [
{
"kty": "EC",
"crv": "P-256",
"kid": "gw-prod-2026-q2",
"x": "BASE64URL_X",
"y": "BASE64URL_Y",
"use": "sig",
"alg": "ES256",
"x-cloakapi-active": true
}
]
}

Key rotation

  • New keys are issued on the first day of each calendar quarter: gw-prod-2026-q2, gw-prod-2026-q3, gw-prod-2026-q4, …
  • The new key signs receipts immediately; the old key remains in the JWKS forever so historic receipts continue to verify.
  • Compromise rotation: if a key needs to be revoked, it gets the revoked: true claim in the JWKS entry. Verifiers should reject receipts signed by revoked keys.

Caching guidance

Cache the JWKS for at most 1 hour locally — fetch fresh on every unknown kid to pick up rotations. The endpoint serves Cache-Control: public, max-age=300.

Key naming convention

Keys follow the pattern gw-<region>-<year>-<quarter>:

ExampleMeaning
gw-prod-2026-q2Production gateway, 2026 Q2
gw-prod-2026-q3Production gateway, 2026 Q3 (next rotation)

Fetch the live JWKS to find the current active key — do not hardcode a kid.