Get webhook JWKS

curl --request GET \
  --url https://api.turnkey.com/public/v1/discovery/webhooks/jwks

{
  "keys": [
    {
      "kid": "<signing-key-id>",
      "kty": "OKP",
      "crv": "Ed25519",
      "alg": "EdDSA",
      "use": "sig",
      "x": "<base64url-encoded-public-key>",
      "turnkey_signature_algorithm": "ed25519",
      "turnkey_signature_version": "v1"
    }
  ]
}

GET

public

discovery

webhooks

jwks

Get webhook JWKS

curl --request GET \
  --url https://api.turnkey.com/public/v1/discovery/webhooks/jwks

{
  "keys": [
    {
      "kid": "<signing-key-id>",
      "kty": "OKP",
      "crv": "Ed25519",
      "alg": "EdDSA",
      "use": "sig",
      "x": "<base64url-encoded-public-key>",
      "turnkey_signature_algorithm": "ed25519",
      "turnkey_signature_version": "v1"
    }
  ]
}

Fetch the public Ed25519 keys used to verify Turnkey webhook signatures. This endpoint requires no authentication. For full verification guidance, including signed message construction and SDK helper usage, see Verify webhook signatures. Cache the JWKS response according to the Cache-Control header. Match each JWK kid to the webhook delivery’s X-Turnkey-Signature-Key-Id header, and refetch JWKS before rejecting a delivery with an unknown kid. Current production Cache-Control:

public, max-age=86400, s-maxage=86400, stale-if-error=604800

A successful response returns the following fields:

keys

array

required

Public webhook signature verification keys.

Show keys details

{
  "keys": [
    {
      "kid": "<signing-key-id>",
      "kty": "OKP",
      "crv": "Ed25519",
      "alg": "EdDSA",
      "use": "sig",
      "x": "<base64url-encoded-public-key>",
      "turnkey_signature_algorithm": "ed25519",
      "turnkey_signature_version": "v1"
    }
  ]
}

List wallets accounts List webhook endpoints

⌘I