Skip to main content
GET https://api.uip.digital/.well-known/uip-audit-jwks.json · Public · CORS-readable
Returns UIP’s current audit-signing public key and explicitly retained verification keys. Use the key whose kid exactly matches uip_signature.kid in the audit record. The endpoint is cacheable for five minutes; refresh it when a new kid appears. uip_signature is a detached audit field, not a JWS object. Its value is a base64url-encoded ASN.1 DER ECDSA signature over the 32-byte record digest.
keys
object[]
The public key proves that the holder of UIP’s configured signing key signed the canonical audit hash. It is separate from the symmetric key used to encrypt private data. The endpoint makes no claim about whether a particular deployed key version is software- or hardware-protected. See Get an audit record and offline verification.