A modern programming language that makes developers happier.

kotlinlang

I am currently studying the ktor jwt documentation.
2 notes:
```val publicKey = jwkProvider.get("6f8856ed-9189-488f-9011-0ff4b6c08edc").publicKey```
Where does the public key come from?

```call.respond(hashMapOf("token" to token))```
I thought about sending the public key as well to the client, so he can validate the token itself. Is this recommended? And why not?

Well the public key is public, so yes - the idea is that the client can validate that the JWT you send them is signed by you - this is typically done by exposing it using <https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets|JWKs> and the client retrieving it themselves - you don't need to send it to them but you do need to make it available. The public key itself is part of the public/private pair that you use to sign the contents of the JWT (which is the third section of an encoded JWT string - see <http://jwt.io|jwt.io>) .

As David mentioned, it is 100% ok to send anyone the public key for your JWTs.  But the other question is how?

A JWK is ideal in that you can rotate keys, and the client can retrieve the key themselves.  But if you know you'll only have a small number of clients, manually sending them the public key is completely valid, and avoids the overhead of setting up and maintaining the JWK endpoint.