Add kid to JWKs

[natac13]

Use 'latest' JWK's kid in the signing headers. This is used by clients to efficiently find the right JWK from the list

I noticed this was missing when trying to use hono/jwk middleware

Add kid to the JWKS and the signing headers so that clients can use it to find the JWK from the list to verify.

I choose, (maybe wrongly) that the 'latest' key it the first one in the list. Could go either way.

While trying to use the convex auth supplied access token from a Hono api with their jwk middleware, I got an error about the kid field missing.

I learned that it is to uniquely identify the JWK so the client does not have to check every key in the list from the endpoint.

I check on how Openauth does this here

I found that the Convex Backend uses the Biscuit library to decode the jwks here

However, after checking on the source for the Biscuit decode_with_jwks I am not sure how it does not throw a similar error due to the missing kid

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
convex-auth-docs	✅ Ready (Inspect)	Visit Preview	May 30, 2025 11:32am

[thomasballinger]

@natac13 great point, for OIDC https://docs.convex.dev/auth/advanced/custom-auth we don't use Biscuit, we use https://github.com/ramosbugs/openidconnect-rs. I think using a kid is a good idea. Sorry for the trouble when using this via Hono!