# `AttestoPhoenix.Controller.JWKSController`
[🔗](https://github.com/XukuLLC/attesto_phoenix/blob/v0.19.0/lib/attesto_phoenix/controller/jwks_controller.ex#L1)

`GET /.well-known/jwks.json` - the JSON Web Key Set (RFC 7517 §5).

Publishes the public halves of the issuer's signing keys as a JWK Set so a
resource server (or any client) can verify issued JWTs without a shared
secret. A verifier fetches this set, then selects the key whose `kid` matches
the token's JWS header (RFC 7515 §4.1.4). This is the document the
authorization-server metadata's `jwks_uri` points at (RFC 8414 §2).

The set carries every verification key, so it covers a rotation window:
tokens minted under the outgoing key still verify while the incoming key is
also published. Only public key material is emitted; private components never
appear (RFC 7517 §1).

This endpoint is unauthenticated public metadata, and its response is the same
for every caller, so it is marked publicly cacheable (RFC 9111 §5.2.2). The
JWK Set construction is delegated to `Attesto.JWKS`; this controller owns only
the HTTP binding and the cache policy.

## Configuration

Built on `AttestoPhoenix.Config`. The set is derived entirely from
configuration; this controller holds no policy of its own:

  * `:keystore` - the `Attesto.Keystore` whose `verification_pems/0` are
    published. The host owns where the keys come from.

The configured `AttestoPhoenix.Config` is read from
`conn.private[:attesto_phoenix_config]`, placed there by the host's router
pipeline.

# `show`

```elixir
@spec show(Plug.Conn.t(), map()) :: Plug.Conn.t()
```

Handle `GET /.well-known/jwks.json` (RFC 7517 §5).

Builds the public JWK Set from the configured keystore's verification keys and
renders it as a publicly cacheable JSON document.

---

*Consult [api-reference.md](api-reference.md) for complete listing*