Hello Bruno, For RSA (asymmetric), you can retrieve public key from the Admin console (realm > Keys > RSA > Public key). It's only the pubkey that is needed for RSA signature verification. For symmetric algorithms, namely AES and HMAC, you should use the direct SQL query: SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE provider_id = 'hmac-generated' AND CC.name = 'secret'; (similarly for 'aes-generated') However, seems like none of the online JWT debuggers, neither https://jsonwebtoken.io nor https://jwt.io, understand Keycloak's symmetric keys. The former simply fails every time, and the latter, instead of verifying the signature, simply regenerates it with the key supplied. I was only able to verify RSA signature using https://jwt.io and RSA pubkey retrieved from Keycloak. The only pitfall is that you need to enclose the pubkey in -----BEGIN RSA PUBLIC KEY----- and -----END RSA PUBLIC KEY-----. As the online services seem to be not much reliable, I'd suggest that you try using one of the many libraries to verify the token yourself. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Wed, 2018-12-26 at 14:14 +0100, Bruno Mairlot wrote: