ZeroData Tools
Tools
JSON Formatter Format and validate JSON instantly with no uploads, no server calls, and no stored data. JSON Validator Validate JSON instantly before deploys with local processing and zero server calls. YAML Validator Validate YAML files and catch indentation errors instantly with no uploads or backend processing. Base64 Encoder Encode or decode Base64 strings instantly with zero uploads. URL Encoder Encode and decode query parameters locally for APIs, redirects, and forms. HTML Formatter Pretty-print messy markup and inspect structure without exposing page code. CSS Minifier Shrink stylesheets for production with browser-only processing and instant output. JavaScript Beautifier Reformat dense JavaScript into readable code locally for debugging.

JWK to PEM Converter

Convert JSON Web Keys (JWK) to PEM format and back — using your browser's native Web Crypto API. Supports RSA and Elliptic Curve keys.

Advertisement
JWK ↔ PEM Converter
Convert JSON Web Keys to PEM format and back — using Web Crypto API, 100% in your browser.
JWK Input
Key Metadata
Type
Algorithm
Key ID
Public Key (PEM)
Private Key (PEM)
PEM Input
JWK Output

How ZeroData protects your privacy

  • No Uploads: Processing happens entirely via client-side JavaScript.
  • No Storage: We do not have a database. We physically cannot save your data.
  • No Tracking: We don't log what you process or track your inputs.
  • Verifiable: Check your DevTools Network tab. You will see 0 outbound requests.

Why Convert Between JWK and PEM?

Modern authentication and authorization systems frequently use two different formats for cryptographic keys. JWKS endpoints — used by OAuth 2.0 providers like Auth0, Okta, Google, and Azure AD — serve keys in JWK (JSON Web Key) format as defined in RFC 7517. However, most server-side libraries, reverse proxies, and API gateways expect keys in the traditional PEM format.

This mismatch means that developers regularly need to convert keys between formats. For example, when configuring Nginx or Apache to verify JWT signatures, you need the public key in PEM format — but the identity provider only exposes it as a JWK via its /.well-known/jwks.json endpoint.

How the Web Crypto API Handles Key Conversion

This converter uses the browser's built-in Web Crypto API — the same cryptographic engine that powers HTTPS in your browser. The conversion flow is:

  • JWK → PEM: Import the JWK using crypto.subtle.importKey('jwk', ...), then export as SPKI (public) or PKCS#8 (private) using crypto.subtle.exportKey().
  • PEM → JWK: Strip the PEM headers, decode the Base64 body to a binary buffer, import using crypto.subtle.importKey('spki'/'pkcs8', ...), then export as JWK.

Because the Web Crypto API handles all cryptographic operations natively, no external JavaScript libraries are needed. This keeps the tool fast, secure, and dependency-free.

Supported Key Algorithms

The tool supports the most common key types used in JWT/OIDC ecosystems:

  • RSA: RS256 (SHA-256), RS384 (SHA-384), RS512 (SHA-512) — used by most enterprise identity providers.
  • Elliptic Curve: ES256 (P-256), ES384 (P-384), ES512 (P-521) — smaller keys with equivalent security, preferred for modern applications.

Related Tools in the JWT / JWK Cluster

Need to generate fresh JWK key pairs? Use our JWK & JWKS Generator to create RSA and EC keys directly in your browser. To verify JWT token signatures against a public key, try the JWT Signature Verifier. And for quick inspection of token headers and payloads, the JWT Debugger decodes any JWT without sending it to a server.

100% Client-Side — Your Keys Never Leave Your Browser

Cryptographic keys are the most sensitive artifacts in any security system. Pasting private keys into online converters that route through backend servers is a serious risk. This tool processes everything locally using the Web Crypto API. No network requests are made during conversion — your keys exist only in browser memory and are discarded when you close the tab.

How to Use the JWK to PEM Converter

  1. Paste your JWK (or JWKS) into the input textarea, or click 'Load Example' for a demo key.
  2. Click 'Convert to PEM' to generate the PEM-encoded public and private keys.
  3. Copy the PEM output and use it in your server configuration, API gateway, or application code.
  4. To reverse the conversion, switch to 'PEM → JWK' mode and paste a PEM key.
  5. The tool auto-detects RSA vs EC key types and selects the correct algorithm.

Common Use Cases

  • Converting JWKS endpoint keys to PEM format for local JWT signature verification in Node.js or Python.
  • Extracting public keys from OAuth 2.0 / OpenID Connect discovery endpoints for API gateway configuration.
  • Converting PEM certificates to JWK format for uploading to Auth0, Firebase, or Keycloak identity providers.
  • Migrating cryptographic keys between systems that use different key formats (e.g., AWS Cognito to custom API).
  • Debugging JWT signature verification failures by comparing JWK and PEM key representations.
Advertisement

Frequently Asked Questions

What is the difference between JWK and PEM format?

JWK (JSON Web Key) is a JSON-based format defined in RFC 7517 for representing cryptographic keys. PEM (Privacy-Enhanced Mail) is the older, widely-used Base64-encoded format wrapped in '-----BEGIN/END-----' markers. JWK is commonly used in OAuth 2.0, OpenID Connect, and JWKS endpoints, while PEM is the standard format for OpenSSL, SSH, and most server-side TLS configurations.

Which key types does this converter support?

This converter supports RSA keys (RS256, RS384, RS512) and Elliptic Curve keys (ES256/P-256, ES384/P-384, ES512/P-521). These cover the vast majority of keys used in JWT signing, OAuth 2.0, and OpenID Connect. All conversion happens via the browser's native Web Crypto API.

Is it safe to paste my private key here?

Yes. This tool runs 100% in your browser using the Web Crypto API. No keys, tokens, or data are transmitted to any server. You can verify this by opening your browser's Developer Tools Network tab — you will see zero outbound requests during conversion.

What PEM formats does this tool output?

For public keys, the tool exports SPKI (Subject Public Key Info) format wrapped as '-----BEGIN PUBLIC KEY-----'. For private keys, it exports PKCS#8 format wrapped as '-----BEGIN PRIVATE KEY-----'. These are the standard formats accepted by OpenSSL, Node.js crypto, Java KeyStore, and most TLS/SSL libraries.

Can I convert a JWKS (key set) with multiple keys?

Yes. If you paste a JWKS (a JSON object with a 'keys' array), the tool will automatically extract and convert the first key in the set. For multi-key JWKS, you can edit the input to select a specific key by its 'kid' (Key ID) property.

Explore more ZeroData utilities

Related Tools

JWT Debugger

Inspect JWT headers and payloads locally without leaking tokens to third-party tools.

JWT Generator

Create test JWT tokens with custom headers and payloads locally. Sign with HMAC-SHA256 using Web Crypto API.

JWT Expiry Checker

Paste a JWT and instantly see when it expires in your local timezone. No server, no uploads.

JWT Signature Verifier

Verify JWT signatures locally using Web Crypto API. Supports HS256, RS256, and ES256. Your secrets never leave your browser.

JWK & JWKS Generator

Generate JSON Web Keys (JWK) and JWKS for JWT signing. Supports RS256, RS384, RS512, ES256, ES384, ES512, HS256 — 100% browser-based via Web Crypto API.

© 2026 ZeroData Tools. All rights reserved.