WKD — Web Key Directory.

What it is.

Standard OpenPGP keyservers (keys.openpgp.org and friends) act as third-party hubs — anyone can upload anyone's key (subject to email verification on modern servers), and anyone can look up keys by email or fingerprint. WKD takes a different approach: keys live at their home domain, served by the domain operator over HTTPS at a predictable URL.

The URL structure has two forms:

• Direct method: https://example.com/.well-known/openpgpkey/hu/HASH?l=alice
• Advanced method: https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/HASH?l=alice

The hash is the Z-base-32-encoded SHA-1 of the lowercased localpart of the email (alice in the example). Mail clients try the Advanced URL first; if it doesn't resolve, they fall back to Direct.

What's served at that URL is the binary OpenPGP public key — not ASCII-armored, not wrapped in JSON, just the raw key bytes that the client can import directly.

Why it matters.

WKD is the most self-sovereign of the OpenPGP discovery mechanisms:

• You control the publication. No third-party keyserver can decide to drop your key or be subpoenaed for upload metadata. Your key lives on your own (or your domain operator's) infrastructure.
• Automatic from the user's side. Mail clients with WKD support fetch the key without user intervention. No "look up the recipient's fingerprint first" friction.
• Survives keyserver outages. If keys.openpgp.org goes away, your WKD still works.
• Aligned with the email-domain trust model. The party serving your key is the same party operating your email — there's already an implicit trust relationship.

Limitations: you need a domain you control (or your domain operator has to support WKD). Personal Gmail / Outlook addresses can't host WKD entries themselves; the operator would have to support it. Most large mail providers don't.

Related terms

• Keyserver
• User ID
• PGP fingerprint
• OpenPGP standard

Related guide