Every signing_keys[] entry is a valid JWK

Every `signing_keys[]` entry parses as a valid JWK with `kty` and the kty-specific required fields. Malformed JWK entries are rejected silently by agents — signed payloads cannot be verified and the merchant loses trust signal.

What this check looks for

UCP profiles advertise public signing keys under `signing_keys[]` so agents can verify signed payloads. Each entry MUST be a JWK per RFC 7517: `kty` is always required, and each kty (EC, RSA, OKP, oct) carries its own required parameter set. Per RFC 7517 §4.5, `kid` is OPTIONAL on a JWK — this check does not enforce it (a future `ucp-signing-keys-recommended` check will warn when it is missing). Empty arrays are treated as `na`: the profile signals no signed surfaces today.

Which AI surfaces it affects

• Google AI Mode (UCP)90
• Microsoft Copilot70
• ChatGPT (ACP)30
• Meta AI30
• Perplexity20

Weighted against the live specs — ACP 2026-04-17, UCP 2026-04-08.

How to fix it

Make every signing_keys[] entry a JWK with kty + kty-specific params

<!-- /.well-known/ucp (excerpt) -->
{
  "signing_keys": [
    {
      "kty": "EC",
      "kid": "key-2026-01",
      "crv": "P-256",
      "x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
      "y": "x_FEzRu9aXEvBkKfqkNQYIz3HXVL83p2J5GXbcVMjzM"
    }
  ]
}

The spec it's pinned to

• RFC 7517 — JSON Web Key (JWK)

  RFC 7517 §4.1 defines `kty` as a REQUIRED member of every JWK. Each `kty` value (EC, RSA, OKP, oct) brings its own required parameter set per RFC 7518 §6 — agents reject keys missing those parameters.

RFC 7517 — JSON Web Key ↗

Related protocol checks

• UCP profile Cache-Control is shared-cacheable with max-age ≥ 60s
• Each capability has version + spec + schema
• UCP MCP-transport entries have valid HTTPS endpoints
• /.well-known/ucp response Content-Type is application/json

← All 82 checks