> ## Documentation Index > Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt > Use this file to discover all available pages before exploring further. # JSON Web Key Set (JWKS) Endpoint > Provides the set of public keys used to verify the signature of JWTs issued by the authentication server. Clients should use the `kid` (Key ID) from a JWT's header to select the correct key for validation. ## OpenAPI ````yaml /api/en/authentication.yaml get /.well-known/jwks.json openapi: 3.0.3 info: title: Altostrat Authentication API description: > This document provides a comprehensive guide to Altostrat's Authentication API. It leverages Auth0 to provide secure, stateless, JWT-based authentication for the Altostrat Single-Page Application (SPA). The authentication mechanism is built on the industry-standard **OAuth 2.0 Authorization Code Flow with Proof Key for Code Exchange (PKCE)**, ensuring robust security for client-side applications. This documentation is a strategic blueprint designed for developers to accelerate integration. It details not only the API endpoints but also the underlying standards like **OpenID Connect (OIDC)** and the structure of the JSON Web Tokens (JWTs) used for authorization. Developers can use the OIDC discovery endpoint to auto-configure their clients. ### Authentication Flow Overview: 1. **Initiate Login:** The Altostrat web application initiates the authentication flow by redirecting the user's browser to the `/authorize` endpoint. 2. **User Authentication & Consent:** The user authenticates on the `signin.altostrat.io` domain and grants the application permission to access the requested scopes. 3. **Receive Authorization Code:** Auth0 redirects the user back to the Altostrat application's registered callback URL with a single-use `authorization_code`. 4. **Exchange Code for Tokens:** The Altostrat application's backend sends the `authorization_code` along with the `code_verifier` to the `/oauth/token` endpoint. 5. **Receive Tokens & Call APIs:** A successful exchange provides an `access_token` (JWT), an `id_token`, and a `refresh_token`. The `access_token` is then used as a Bearer token to make secure calls to Altostrat's resource APIs (e.g., `https://v1.api.altostrat.io`). version: 1.0.0 servers: - url: https://signin.altostrat.io description: Altostrat OAuth 2.0 & OpenID Connect Infrastructure security: [] tags: - name: OAuth 2.0 & OIDC description: >- Core endpoints for the authentication, token management, and session flows. - name: Discovery description: >- Standard OpenID Connect discovery endpoints for automatic client configuration. paths: /.well-known/jwks.json: get: tags: - Discovery summary: JSON Web Key Set (JWKS) Endpoint description: > Provides the set of public keys used to verify the signature of JWTs issued by the authentication server. Clients should use the `kid` (Key ID) from a JWT's header to select the correct key for validation. responses: '200': description: A JSON object containing an array of public keys. content: application/json: schema: type: object properties: keys: type: array items: type: object properties: alg: type: string kty: type: string use: type: string 'n': type: string e: type: string kid: type: string ````