Skip to content
Latchkey

JWKS "Unable to find a signing key that matches" in CI

The verifier looked up the token's kid in the issuer's JWKS document and found no matching key. jwks-rsa raises "Unable to find a signing key that matches" when the kid is absent from the served key set.

What this error means

Verification fails with "SigningKeyNotFoundError: Unable to find a signing key that matches ..." naming a kid. The JWKS endpoint points at the wrong issuer, or a rotated key was cached.

jwks-rsa
SigningKeyNotFoundError: Unable to find a signing key that matches 'abc123kid'
    at /app/node_modules/jwks-rsa/src/JwksClient.js:78:19

Common causes

JWKS URI points at the wrong issuer

The client fetches keys from a different realm or tenant than the one that signed the token, so the kid is not present.

A rotated key not yet reflected

The token was signed with a new key while the client served a cached JWKS that lacks that kid.

How to fix it

Point JWKS at the token issuer

  1. Read the iss claim and use that issuer's jwks_uri from its discovery document.
  2. Ensure the realm/tenant in the JWKS URI matches the signer.
  3. Allow the client to refresh keys so rotated kids are fetched.
test.js
const client = jwksClient({
  jwksUri: `${issuer}/protocol/openid-connect/certs`,
  cache: true, rateLimit: true
});

Refresh JWKS on a missing kid

Enable caching with refresh so a kid not found triggers a re-fetch rather than a hard failure.

How to prevent it

  • Derive jwks_uri from the issuer discovery document.
  • Enable JWKS caching with refresh to handle rotation.
  • Match realm/tenant between token signer and verifier.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →