For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Go to app
DocumentationAPI Reference
DocumentationAPI Reference
  • API Reference
    • Introduction
    • Users
    • Taskflow
    • AI Task Builder
    • Studies
    • Representative sample studies
    • study-collections
    • Filter Sets
    • Participant Groups
    • Custom Groups
    • Study Distribution
    • Submissions
    • Bonuses
    • Messages
    • Workspaces
    • Projects
    • Surveys
    • Webhooks
    • Invitations
    • Reward Recommendations
    • Testing
    • Well Known Endpoints
      • GETRetrieve JSON Web Key Set (JWKS)
Go to app
LogoLogo
API ReferenceWell Known Endpoints

Retrieve JSON Web Key Set (JWKS)

|View as Markdown|Open in Claude|
GET
https://api.prolific.com/.well-known/study/jwks.json
GET
/.well-known/study/jwks.json
$curl https://api.prolific.com/.well-known/study/jwks.json \
>     -H "Content-Type: application/json"
200Retrieved
1{
2  "keys": [
3    {
4      "kty": "RSA",
5      "kid": "a1b2c3d4e5f6g7h8i9j0",
6      "alg": "RS256",
7      "n": "oahUIz7X9v1q2r3s4t5u6v7w8x9y0zABCD1234567890EFGHIJKLMNOPQRSTUVWXYZabcdefghiJKLmnopqrstuVWXYZ1234567890abcdefgHIJKLMNOpqrstuvwxYZ",
8      "e": "AQAB",
9      "use": "sig",
10      "key_ops": [
11        "verify"
12      ]
13    }
14  ]
15}
Fetches the public keys that can be used to verify JWTs signed by Prolific. Clients should cache these keys and update them at least daily. To verify the signature of a JWT you must verify the following: * The JWT signature is authentic by verifying it with the public key from Prolific that correlates with the KID. * The JWT hasn't expired, by checking the `exp` claim. * The `aud` claim is the correct domain for your tool. * The `prolific` claim matches your expected payload as set in the `external_study_url` property. It always includes `workspace_id`. When the workspace is linked to an organisation, it also includes `organisation_id`.
Was this page helpful?
Previous

Well-Known Endpoints

Next

List credential pools for a workspace

Fetches the public keys that can be used to verify JWTs signed by Prolific. Clients should cache these keys and update them at least daily.

To verify the signature of a JWT you must verify the following:

  • The JWT signature is authentic by verifying it with the public key from Prolific that correlates with the KID.
  • The JWT hasn’t expired, by checking the exp claim.
  • The aud claim is the correct domain for your tool.
  • The prolific claim matches your expected payload as set in the external_study_url property. It always includes workspace_id. When the workspace is linked to an organisation, it also includes organisation_id.

Response

Successful response with the JWKS.
keyslist of objects