Key type is OKP

What this check verifies

This check reads every key in the directory and confirms each one has kty set to OKP. If any key has a different kty, or none, the check fails.

OKP stands for Octet Key Pair, the JSON Web Key type for Edwards-curve keys, defined in RFC 8037. Web Bot Auth uses Ed25519, which is an Edwards curve, so every key in the directory is an OKP key:

{ "kty": "OKP", "crv": "Ed25519", "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo", "kid": "..." }

This is one of three structural per-key checks, alongside the curve and the public key length. The check aggregates across all keys: one wrong kty fails it.

Why it matters

The kty member tells a verifier how to interpret the rest of the key. An RSA key (kty: "RSA") or an EC key (kty: "EC") has different members and a different signature algorithm, so a verifier expecting an Ed25519 OKP key cannot use it. A wrong or missing kty means the verifier has no key it can check your signature against.

Because this is a correctness failure on the key itself, it makes the directory invalid. The verdict is INVALID, not just a lower grade: the directory exists, but its keys are not the kind Web Bot Auth can use.

How to fix it

Set kty to OKP on every key:

{ "kty": "OKP", "crv": "Ed25519", "x": "...", "kid": "..." }

The common cause is publishing a key of the wrong type, usually because the key was generated as RSA or P-256 (EC) rather than Ed25519. Web Bot Auth requires Ed25519, so generate an Ed25519 keypair and export its public JWK, which will carry kty: "OKP". If only one key in a multi-key set is wrong, find and remove or replace that key.

References

• RFC 8037 defines the OKP key type and Ed25519 for JOSE.
• RFC 7517 defines the kty member of a JSON Web Key.
• How grading works explains why a wrong key type makes the directory invalid.