JWKS "Unable to find a signing key that matches" in CI
The verifier looked up the token's kid in the issuer's JWKS document and found no matching key. jwks-rsa raises "Unable to find a signing key that matches" when the kid is absent from the served key set.
What this error means
Verification fails with "SigningKeyNotFoundError: Unable to find a signing key that matches ..." naming a kid. The JWKS endpoint points at the wrong issuer, or a rotated key was cached.
SigningKeyNotFoundError: Unable to find a signing key that matches 'abc123kid'
at /app/node_modules/jwks-rsa/src/JwksClient.js:78:19Common causes
JWKS URI points at the wrong issuer
The client fetches keys from a different realm or tenant than the one that signed the token, so the kid is not present.
A rotated key not yet reflected
The token was signed with a new key while the client served a cached JWKS that lacks that kid.
How to fix it
Point JWKS at the token issuer
- Read the iss claim and use that issuer's jwks_uri from its discovery document.
- Ensure the realm/tenant in the JWKS URI matches the signer.
- Allow the client to refresh keys so rotated kids are fetched.
const client = jwksClient({
jwksUri: `${issuer}/protocol/openid-connect/certs`,
cache: true, rateLimit: true
});Refresh JWKS on a missing kid
Enable caching with refresh so a kid not found triggers a re-fetch rather than a hard failure.
How to prevent it
- Derive jwks_uri from the issuer discovery document.
- Enable JWKS caching with refresh to handle rotation.
- Match realm/tenant between token signer and verifier.