diff --git a/oauth3.issuer.js b/oauth3.issuer.js
index d751f96..4b9fcd6 100644
--- a/oauth3.issuer.js
+++ b/oauth3.issuer.js
@@ -158,6 +158,37 @@ OAUTH3.urls.resourceOwnerPassword = function (directive, opts) {
   , data: body
   };
 };
+
+// Required sub can be provided in either of two formats.
+// opts : {sub: (subID)} 
+// opts : {session: { token: sub: (subID)}}
+OAUTH3.urls.publicKeys = function(directive, opts) {
+  if(!directive) {
+    throw new Error("You must supply directives and opts");
+  }
+  if(!directive.JWKs) {
+    //throw new Error("Provider does not support listing public keys.");
+  }
+  if(!opts || (!opts.session && !opts.sub)) {
+    throw new Error("You must supply options.session or a options.sub");
+  }
+  //TODO:
+  //TODO: get the proper directive once it's created!!
+  //TODO: Do we need to have sub strictly provided?
+  var sub = opts.sub || opts.session.token.sub
+  var hardCodedDir = "/api/issuer@oauth3.org/jwks/all/:sub";
+  var url = OAUTH3.url.resolve(directive.api, hardCodedDir)
+  url = url.replace(":sub", sub);
+
+  var method = opts.method || "GET";
+
+  return {
+    method: method
+  , url: url
+  , session: opts.session
+  };
+};
+
 OAUTH3.urls.grants = function (directive, opts) {
   // directive = { issuer, authorization_decision }
   // opts = { response_type, scopes{ granted, requested, pending, accepted } }
@@ -420,6 +451,24 @@ OAUTH3.authz.scopes = function (providerUri, session, clientParams) {
     };
   });
 };
+
+// Get all public keys for a sub 
+// Required sub can be provided in either of two formats.
+// opts : {sub: (subID)} 
+// opts : {session: { token: sub: (subID)}}
+OAUTH3.authz.publicKeys = function (providerUri, opts) {
+  opts = opts ? opts : {};
+  return OAUTH3.discover(providerUri, {
+    client_id: providerUri
+  , debug: opts.debug
+  }).then(function(directive) {
+    return OAUTH3.request(OAUTH3.urls.publicKeys(directive, opts));
+  }).then(function(result) {
+    //TODO: Do we need to cache these? Right now I don't see this request happening often.
+    return result.data;
+  });
+};
+
 OAUTH3.authz.grants = function (providerUri, opts) {
   return OAUTH3.discover(providerUri, {
     client_id: providerUri