Overview
JSON Web Keys (JWKs) are used by OAuth 2.0 client applications to authenticate with Okta using the private_key_jwt client authentication method.
This is an asymmetric authentication mechanism where the application possesses a private key and Okta stores the corresponding public key.
A service application can have multiple JWKs configured for key rotation purposes.
JWKs are represented as Okta_JWK nodes in BloodHound.
Edges
The tables below list edges defined by the OktaHound extension only. Additional edges to or from this node may be created by other extensions.
Inbound Edges
No inbound edges are defined by the OktaHound extension for this node.
Outbound Edges
| Edge Type | Destination Node Types | Traversable |
|---|
| Okta_KeyOf | Okta_Application | ✅ |
Properties
| Name | Source | Type | Description |
|---|
id | jwk.id | string | Unique JSON Web Key identifier. |
name | jwk.kid (fallback jwk.id) | string | Key identifier used as node name. |
displayName | jwk.kid (fallback jwk.id) | string | Display label used in BloodHound. |
oktaDomain | Collector context (non-API) | string | Okta organization domain where the key exists. |
status | jwk.status | string | Current lifecycle status of the key. |
kid | jwk.kid | string | JSON Web Key identifier (kid). |
kty | jwk.kty | string | Key type (RSA, EC, …). |
use | jwk.use | string | Intended key usage (sig, enc). |
created | jwk.created | datetime | Key creation timestamp. |
lastUpdated | jwk.lastUpdated | datetime | Last update timestamp. |
Sample Property Values
id: pksw0py294dQ80EdI697
name: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4
displayName: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4
oktaDomain: contoso.okta.com
status: ACTIVE
kid: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4
kty: RSA
use: sig
created: 2025-10-02T10:14:44Z
lastUpdated: 2025-10-02T10:26:27Z
