Is your JWKS endpoint hygienic?

Grade a JWKS endpoint (or OIDC issuer) against RFC 7517 / 7518 and the JWT BCP (RFC 8725) — every finding cited, results shareable by permalink. Or verify a JWT against a JWKS entirely in your browser, with algorithm-confusion detection.

We fetch only the public JWKS over HTTPS. An issuer URL is resolved via /.well-known/openid-configuration. Nothing is stored unless a report is created.