What does the JWK ↔ PEM Converter do?
JWK (JSON Web Key, RFC 7517) is the JSON
representation of a public or private key used by JWT, OIDC, OAuth 2.0, and most modern identity stacks. PEM
is the older Base64-armored format that almost every traditional crypto library — OpenSSL, Java keystores, Go's
crypto/x509 — expects. The two encode the same key material; you just need to round-trip them.
This tool does that round-trip in your browser using the WebCrypto API, so your private keys never travel over the network.
What it supports
- RSA public and private keys (any modulus size — 2048, 3072, 4096).
- EC public and private keys for the standard NIST curves
P-256,P-384,P-521. - Ed25519 where your browser supports it (Chromium 129+, Firefox 130+ ship it natively; Safari is opt-in).
- Auto-detection of algorithm (from
kty/crvfor JWK, or from the SPKI / PKCS8 header on the PEM side) and of public vs private (presence of the JWKdparameter, or PRIVATE KEY in the PEM banner). - One-click sample keys generated with
crypto.subtle.generateKeyso you can experiment safely.
Why not paste into an online converter?
Most "JWK to PEM" web tools POST your key to a server. That's a non-starter for production private keys. This tool
is built around the browser's native crypto.subtle implementation: imports, exports, and key generation
all happen on your device, and nothing is logged or transmitted. The PEM body is just btoa()
applied to the SPKI or PKCS8 DER bytes the browser hands us, wrapped in 64-character lines per the
RFC 7468 profile.
Tips for OIDC / JWT workflows
Public keys in a JWK Set (jwks_uri) typically use kty:RSA with alg:RS256 or
kty:EC with crv:P-256 and alg:ES256. After exporting to PEM you can drop the
file straight into openssl rsa -pubin -in key.pem -text -noout or feed it to your JWT library to verify
tokens issued by an upstream identity provider.