Directory is a key set

What this check verifies

A Web Bot Auth directory is a JSON Web Key Set (JWKS), defined in RFC 7517. The response body is a JSON object with a top-level keys array, and each entry in that array is one key:

{
  "keys": [
    { "kty": "OKP", "crv": "Ed25519", "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo", "kid": "..." }
  ]
}

This check runs after the body has parsed as JSON. It confirms the parsed value has a keys member and that keys is an array. It does not look inside the keys yet; the per-key checks do that.

Why it matters

Verifiers find your keys by reading the keys array. If the body is valid JSON but has no keys array, there is nothing to check a signature against, so the directory cannot do its job. The checker reports this as NOT FOUND rather than a low grade, because a JSON document with no key set is not a usable directory at all.

In practice this almost always means the well-known path is returning the wrong document.

How to fix it

Serve a JSON object with a keys array, even when you publish a single key:

{ "keys": [ { "kty": "OKP", "crv": "Ed25519", "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo", "kid": "..." } ] }

Common mistakes:

• Serving a bare key object ({ "kty": "OKP", ... }) without the { "keys": [ ... ] } wrapper.
• Serving the keys as a top-level array ([ { ... } ]) instead of an object with a keys member.
• Serving an unrelated document at the path, such as an OpenID configuration or an A2A agent card. Those are not key sets.

After the fix, the top level of the body should be an object whose keys value is an array.

References

• RFC 7517 defines the JSON Web Key Set and its keys member.
• The web-bot-auth directory draft requires the directory to be served as a JWKS.
• How grading works explains why a missing key set is treated as NOT FOUND.