JWKS¶
Overview¶
The /jwks endpoint provides the public key for validating SignerInfo JWTs returned with signing results.
SignerInfo JWT Claims¶
When you request SignerInfo JWT in your sign order (resultContent.requestSignerInfo: true), the response includes a signed JWT containing information about the document signer extracted from their digital certificate.
| Claim | Description | Example |
|---|---|---|
sub |
Certificate serial number | "UN:NO-9578-5100-Q_5iVtjvP..." |
iss |
Issuer (the SignDoc service domain) | "api.esign-stoe.cloud" |
name |
Full name of the signer | "Ola Nordmann" |
given_name |
First name | "Ola" |
family_name |
Last name | "Nordmann" |
birthdate |
Date of birth (YYYY-MM-DD format) | "1988-09-05" |
signature_quality |
Signature quality level | "QES" or "AES" |
cert_issuer |
Certificate issuer DN | Certificate authority information |
iat |
Issued at timestamp | Unix timestamp |
exp |
Expiration timestamp | Unix timestamp |
nbf |
Not before timestamp | Unix timestamp |
2.16.578.1.61.2.3 |
BankID PID | "UN:NO-9578-6000-4-1911943" |
2.16.578.1.61.2.4 |
Norwegian National Identity Number (if present) | "09058812345" |
2.16.578.1.61.2.1 |
eID country code | "NO" |
2.16.578.1.61.2.2 |
eID scheme | "BANKID" |
Validation Guidelines¶
- Retrieve the public key from this endpoint
- Verify the JWT signature using the public key
- Validate that the token hasn't expired (
expclaim) - Verify the issuer (
issclaim) matches the expected SignDoc domain - Extract and trust the signer information claims