WebBotAuth.net

Public key is 32 bytes

Every key's x value must be base64url that decodes to exactly 32 bytes.

What this check verifies

This check reads the x member of every key and confirms it is a base64url string that decodes to exactly 32 bytes. If x is missing, is not a string, decodes to the wrong length, or is not valid base64url, the check fails.

For an Ed25519 OKP key, x is the public key: the 32-byte curve point, encoded as base64url without padding, per RFC 8037.

{ "kty": "OKP", "crv": "Ed25519", "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo", "kid": "..." }

The string above decodes to 32 bytes. This is one of three structural per-key checks, alongside the key type and the curve, and it aggregates across all keys.

Why it matters

x is the actual public key. A verifier uses these 32 bytes to check your Ed25519 signature. If x decodes to the wrong number of bytes, it is not a valid Ed25519 public key, and the verification cannot run. A common cause of a length other than 32 is the wrong encoding: standard base64 with + and /, hex, or a value that includes padding or whitespace can decode to a different length or fail to decode.

Because a malformed public key cannot verify a signature, this makes the directory invalid. The verdict is INVALID rather than a lower grade.

How to fix it

  1. Confirm x is the 32-byte Ed25519 public key encoded as base64url (RFC 4648 section 5), not standard base64 and not hex.
  2. Use the unpadded base64url alphabet: A-Z, a-z, 0-9, -, and _. A 32-byte value encodes to 43 base64url characters with no = padding.
  3. Export the public key from a JWK exporter rather than hand-encoding it, so the encoding is correct by construction.

The usual cause is encoding the key with the wrong alphabet (+// instead of -/_), including padding or newlines, or accidentally serializing a different field. Export the public JWK from your key library and copy x verbatim.

References

  • RFC 8037 defines the x parameter as the base64url-encoded Ed25519 public key.
  • RFC 7517 defines the JSON Web Key format.
  • How grading works explains why a malformed public key makes the directory invalid.

How the checker scores this

Tier
JWKS directory
Role
Authoritative. Failing this can lower the grade ceiling or change the verdict.
Verdict effect
Failing makes the verdict INVALID.
Point deduction
A failure deducts 25 points; a warning deducts 6.

How grading works