jwkToPem (Object jwk [, Object options]) -> String. The first parameter should be an Object representing the jwk, it may be public or private. By default, either of the two will be made into a public PEM. The call will throw if the input jwk is malformed or does not represent a valid key. You may optionally specify that you would like a private. The JWK.parseFromPEMEncodedObject method can take care of that. It parses a string of one or more of the following PEM-encoded objects to create an RSA or EC JWK: Matching pair of the above, e.g. X.509 certificate with PKCS#8 encoded private key. Requires Nimbus JOSE+JWT 6.2+. // PEM-encoded private RSA key generated with // openssl genpkey .... As you can see, the format exposes all the information related to a given key. The most important fields for us are: n: the key itself.; alg: the signing algorithm.; kid: a unique id for every key.