> ## Documentation Index
> Fetch the complete documentation index at: https://docs.uip.digital/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit public keys

> GET /.well-known/alentra-audit-jwks.json

<Note>
  `GET https://api.alentra.app/.well-known/alentra-audit-jwks.json` · Public · CORS-readable
</Note>

Returns Alentra's current audit-signing public key and explicitly retained verification
keys. Use the key whose `kid` exactly matches `alentra_signature.kid` in the audit
record. The endpoint is cacheable for five minutes; refresh it when a new `kid`
appears.

`alentra_signature` is a detached audit field, not a JWS object. Its `value` is a
base64url-encoded ASN.1 DER ECDSA signature over the 32-byte record digest.

<ResponseField name="keys" type="object[]">
  <Expandable title="EC signing key">
    <ResponseField name="kty" type="string">`EC`.</ResponseField>
    <ResponseField name="crv" type="string">`P-256`.</ResponseField>
    <ResponseField name="alg" type="string">`ES256`.</ResponseField>
    <ResponseField name="use" type="string">`sig`.</ResponseField>
    <ResponseField name="kid" type="string">Exact Google Cloud KMS crypto-key-version resource recorded on audit signatures.</ResponseField>
    <ResponseField name="x" type="string">Base64url P-256 X coordinate.</ResponseField>
    <ResponseField name="y" type="string">Base64url P-256 Y coordinate.</ResponseField>
  </Expandable>
</ResponseField>

<ResponseExample>
  ```json 200 OK theme={null}
  {
    "keys": [
      {
        "kty": "EC",
        "crv": "P-256",
        "alg": "ES256",
        "use": "sig",
        "kid": "projects/alentra/locations/global/keyRings/audit/cryptoKeys/sign/cryptoKeyVersions/3",
        "x": "...",
        "y": "..."
      }
    ]
  }
  ```
</ResponseExample>

The public key proves that the holder of Alentra's configured signing key signed the
canonical audit hash. It is separate from the symmetric key used to encrypt private
data. The endpoint makes no claim about whether a particular deployed key version is
software- or hardware-protected.

See [Get an audit record](/api-reference/audits/get) and
[offline verification](/core-concepts/verification#verify-a-record-offline).
