diff --git a/go.mod b/go.mod
index e82e0b1..4c7c249 100644
--- a/go.mod
+++ b/go.mod
@@ -7,6 +7,7 @@ toolchain go1.22.3
 require (
 	github.com/1f349/rsa-helper v0.0.2
 	github.com/becheran/wildmatch-go v1.0.0
+	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/subcommands v1.2.0
 	github.com/pkg/errors v0.9.1
diff --git a/jwks.go b/jwks.go
new file mode 100644
index 0000000..7f4b498
--- /dev/null
+++ b/jwks.go
@@ -0,0 +1,30 @@
+package mjwt
+
+import (
+	"encoding/json"
+	"github.com/go-jose/go-jose/v4"
+	"io"
+)
+
+func WriteJwkSetJson(w io.Writer, issuers []*Issuer) error {
+	enc := json.NewEncoder(w)
+	enc.SetIndent("", "  ")
+	var j jose.JSONWebKeySet
+	for _, issuer := range issuers {
+		// get public key from private key
+		key, err := issuer.PrivateKey()
+		if err != nil {
+			return err
+		}
+		pubKey := &key.PublicKey
+
+		// format as JWK
+		j.Keys = append(j.Keys, jose.JSONWebKey{
+			Algorithm: issuer.signing.Alg(),
+			Use:       "sig",
+			KeyID:     issuer.kid,
+			Key:       pubKey,
+		})
+	}
+	return enc.Encode(j)
+}