# Get Wise public signing key

Returns a public key issued by Wise for verifying signed HTTP responses and for encrypting payloads.

For both signature verification and payload encryption, the process involves storing this public key after retrieval. In both cases, the stored public key should be used without calling this endpoint.

If verification of the signed request fails or you receive an encryption error, call this API once to issue a fresh key from Wise and then try verification one more time.

{% admonition type="warning" %}
  This endpoint requires a client credentials token, not a user level access token. Make sure you use your client details to fetch a valid client credentials token before performing this call.
{% /admonition %}

Endpoint: GET /v1/auth/jose/response/public-keys
Security: ClientCredentialsToken

## Query parameters:

  - `version` (integer)
    Fetch a specific public key version. If omitted the most recent public key is provided.

  - `algorithm` (string, required)
    Algorithm to be used for signature verification or payload encryption. This must match the algorithm used during request.

- Signature verification (Scope: PAYLOAD_SIGNING): ES256, ES384, ES512, PS256, PS384, PS512
- Payload encryption (Scope: PAYLOAD_ENCRYPTION): RSA_OAEP_256
    Enum: "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RSA_OAEP_256"

  - `scope` (string, required)
    Scope of the key. Must be PAYLOAD_SIGNING or PAYLOAD_ENCRYPTION.
    Enum: "PAYLOAD_SIGNING", "PAYLOAD_ENCRYPTION"

## Response 200 fields (application/json):

  - `version` (integer)
    Version of the public key issued.

  - `keyMaterial` (object)

  - `keyMaterial.algorithm` (string)
    Algorithm to be used with the key.
    Enum: "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RSA_OAEP_256"

  - `keyMaterial.keyMaterial` (string)
    Public key material.

  - `scope` (string)
    Scope of the key.
    Enum: "PAYLOAD_SIGNING", "PAYLOAD_ENCRYPTION"