> ## Documentation Index
> Fetch the complete documentation index at: https://resend.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# JWKS

> Public keys for verifying OAuth access token signatures.

Access tokens are JWTs signed with `ES256`. Resource servers verify a token's signature by matching its header `kid` against a key in this document.

Both `active` and `retiring` keys are published, so tokens signed before a key rotation still verify. `retired` keys are omitted, since any token they signed has already expired.

<RequestExample>
  ```bash cURL theme={"theme":{"light":"github-light","dark":"vesper"}}
  curl 'https://api.resend.com/.well-known/jwks.json'
  ```
</RequestExample>

<ResponseExample>
  ```json Response theme={"theme":{"light":"github-light","dark":"vesper"}}
  {
    "keys": [
      {
        "kty": "EC",
        "crv": "P-256",
        "x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
        "y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
        "alg": "ES256",
        "use": "sig",
        "kid": "2026-06-01"
      }
    ]
  }
  ```
</ResponseExample>

Response is cached for 300 seconds (`Cache-Control: public, max-age=300`).
