JSON Web Encryption (JWE) is a standard format for encrypting JSON payloads so only holders of the private key can read them. Veliro Secure Fields encrypts captured card data into a JWE client-side using a public key from Veliro’s JWKS endpoint before any card data reaches your servers, keeping merchants SAQ-A eligible.
JWE differs from TLS alone: TLS protects data in transit to your server, but if the destination is your server, PAN still enters your scope. JWE ensures only the tokenization endpoint can decrypt card data even if a merchant proxy misroutes traffic.
Implementations must pin algorithms (RSA-OAEP, AES-GCM) and reject downgrade attacks. Rotate JWKS keys on schedule and cache keys with max-age headers per operational guidance.
After JWE delivery, Veliro provisions network tokens and returns only tok_* references to your backend. JWE is the front door that makes downstream PSP independence possible without PAN ever touching merchant infrastructure.
Rotate JWKS consumption in staging before production key rolls; clients that cache public keys too aggressively are the usual cause of brief capture outages after scheduled crypto maintenance.