Skip to main content
GET
/
.well-known
/
jwks.json
curl 'https://api.resend.com/.well-known/jwks.json'
{
  "keys": [
    {
      "kty": "EC",
      "crv": "P-256",
      "x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
      "y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
      "alg": "ES256",
      "use": "sig",
      "kid": "2026-06-01"
    }
  ]
}
Access tokens are JWTs signed with ES256. Resource servers verify a token’s signature by matching its header kid against a key in this document. Both active and retiring keys are published, so tokens signed before a key rotation still verify. retired keys are omitted, since any token they signed has already expired.
curl 'https://api.resend.com/.well-known/jwks.json'
{
  "keys": [
    {
      "kty": "EC",
      "crv": "P-256",
      "x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
      "y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
      "alg": "ES256",
      "use": "sig",
      "kid": "2026-06-01"
    }
  ]
}
Response is cached for 300 seconds (Cache-Control: public, max-age=300).