ory
diff --git a/‎docs/resources/json_web_key_set.md‎
Lines changed: 14 additions & 8 deletions b/‎docs/resources/json_web_key_set.md‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎examples/resources/ory_json_web_key_set/resource.tf‎
Lines changed: 7 additions & 6 deletions b/‎examples/resources/ory_json_web_key_set/resource.tf‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎internal/client/client.go‎
Lines changed: 38 additions & 0 deletions b/‎internal/client/client.go‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎internal/resources/jwk/resource.go‎
Lines changed: 113 additions & 11 deletions b/‎internal/resources/jwk/resource.go‎
Lines changed: 113 additions & 11 deletions
@@ -13,7 +13,7 @@ JSON Web Keys are used for signing and encrypting tokens. This resource generate
 
 -> **Plan:** Available on all Ory Network plans.
 
-~> **Note:** This resource is **immutable**. Any change to `set_id`, `key_id`, `algorithm`, or `use` will destroy the existing key set and create a new one. Private keys in the old set will be permanently lost.
+~> **Note:** This resource is **immutable**. Any change to `project_id`, `set_id`, `key_id`, `algorithm`, or `use` will destroy the existing key set and create a new one. Private keys in the old set will be permanently lost.
 
 ## Algorithms
 
@@ -46,20 +46,21 @@ Most configurations only need `use = "sig"`.
 ## Example Usage
 
 ```terraform
-# RSA signing key set
+# RSA signing key set (project_id from provider config)
 resource "ory_json_web_key_set" "signing" {
   set_id    = "token-signing-keys"
   key_id    = "rsa-sig-1"
   algorithm = "RS256"
   use       = "sig"
 }
 
-# ECDSA signing key set (smaller, faster)
+# ECDSA signing key set with explicit project_id
 resource "ory_json_web_key_set" "ecdsa_signing" {
-  set_id    = "ecdsa-signing-keys"
-  key_id    = "ec-sig-1"
-  algorithm = "ES256"
-  use       = "sig"
+  project_id = var.ory_project_id
+  set_id     = "ecdsa-signing-keys"
+  key_id     = "ec-sig-1"
+  algorithm  = "ES256"
+  use        = "sig"
 }
 
 # Encryption key set
@@ -98,9 +99,10 @@ On read, the provider extracts `algorithm`, `use`, and `key_id` from the **first
 
 ## Import
 
-Import using the set ID:
+Import using the format `project_id/set_id` or just `set_id` (uses provider's project_id):
 
 ```shell
+terraform import ory_json_web_key_set.signing <project-id>/token-signing-keys
 terraform import ory_json_web_key_set.signing token-signing-keys
 ```
 
@@ -116,6 +118,10 @@ After import, `key_id` is populated from the first key in the set. If the set co
 - `set_id` (String) The ID of the JSON Web Key Set.
 - `use` (String) The intended use: sig (signature) or enc (encryption).
 
+### Optional
+
+- `project_id` (String) The project ID. If not set, uses the provider's project_id.
+
 ### Read-Only
 
 - `id` (String) Internal Terraform ID (same as set_id).
 
@@ -1,17 +1,18 @@
-# RSA signing key set
+# RSA signing key set (project_id from provider config)
 resource "ory_json_web_key_set" "signing" {
   set_id    = "token-signing-keys"
   key_id    = "rsa-sig-1"
   algorithm = "RS256"
   use       = "sig"
 }
 
-# ECDSA signing key set (smaller, faster)
+# ECDSA signing key set with explicit project_id
 resource "ory_json_web_key_set" "ecdsa_signing" {
-  set_id    = "ecdsa-signing-keys"
-  key_id    = "ec-sig-1"
-  algorithm = "ES256"
-  use       = "sig"
+  project_id = var.ory_project_id
+  set_id     = "ecdsa-signing-keys"
+  key_id     = "ec-sig-1"
+  algorithm  = "ES256"
+  use        = "sig"
 }
 
 # Encryption key set
 
@@ -329,6 +329,11 @@ type OryClient struct {
 	// immediately after PatchProject. This cache ensures Read operations
 	// see the latest state after Create/Update.
 	cachedProjects sync.Map
+
+	// cachedSlugs caches project ID -> slug mappings resolved via the console API.
+	// This avoids redundant API calls when multiple CRUD operations resolve the
+	// same project_id within a single Terraform run.
+	cachedSlugs sync.Map
 }
 
 // NewOryClient creates a new Ory API client.
@@ -454,6 +459,39 @@ func (c *OryClient) WorkspaceID() string {
 	return c.config.WorkspaceID
 }
 
+// ResolveProjectSlug resolves a project ID to its slug via the console API.
+// Results are cached to avoid redundant API calls within a single Terraform run.
+func (c *OryClient) ResolveProjectSlug(ctx context.Context, projectID string) (string, error) {
+	if slug, ok := c.cachedSlugs.Load(projectID); ok {
+		return slug.(string), nil
+	}
+	if c.consoleClient == nil {
+		return "", fmt.Errorf("console API client not configured: workspace_api_key is required to resolve project_id to slug")
+	}
+	project, err := c.GetProject(ctx, projectID)
+	if err != nil {
+		return "", fmt.Errorf("resolving project slug for project %s: %w", projectID, err)
+	}
+	slug := project.GetSlug()
+	c.cachedSlugs.Store(projectID, slug)
+	return slug, nil
+}
+
+// ProjectClientForProject returns a project-scoped client for the given project ID.
+// It resolves the project slug via the console API and uses the provider's project API key.
+func (c *OryClient) ProjectClientForProject(ctx context.Context, projectID string) (*OryClient, error) {
+	slug, err := c.ResolveProjectSlug(ctx, projectID)
+	if err != nil {
+		return nil, err
+	}
+	apiKey := c.config.ProjectAPIKey
+	if apiKey == "" {
+		return nil, fmt.Errorf("project_api_key is required for project API operations (JWK, OAuth2, etc.): " +
+			"set it on the provider or via ORY_PROJECT_API_KEY environment variable")
+	}
+	return c.WithProjectCredentials(slug, apiKey), nil
+}
+
 // WithProjectCredentials returns a new OryClient that uses the given project
 // credentials. The returned client shares the console client with the parent
 // but has its own isolated project client (lazily initialized).
 
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/path"
@@ -38,6 +39,7 @@ type JWKResource struct {
 // JWKResourceModel describes the resource data model.
 type JWKResourceModel struct {
 	ID        types.String `tfsdk:"id"`
+	ProjectID types.String `tfsdk:"project_id"`
 	SetID     types.String `tfsdk:"set_id"`
 	KeyID     types.String `tfsdk:"key_id"`
 	Algorithm types.String `tfsdk:"algorithm"`
@@ -61,10 +63,11 @@ generate and manage custom key sets for your Ory project.
 
 ` + "```hcl" + `
 resource "ory_json_web_key_set" "signing" {
-  set_id    = "my-signing-keys"
-  key_id    = "sig-key-1"
-  algorithm = "RS256"
-  use       = "sig"
+  project_id = var.ory_project_id
+  set_id     = "my-signing-keys"
+  key_id     = "sig-key-1"
+  algorithm  = "RS256"
+  use        = "sig"
 }
 ` + "```" + `
 
@@ -81,9 +84,10 @@ resource "ory_json_web_key_set" "encryption" {
 
 ## Import
 
-JWK sets can be imported using their set ID:
+JWK sets can be imported using the format ` + "`project_id/set_id`" + ` or just ` + "`set_id`" + `:
 
 ` + "```shell" + `
+terraform import ory_json_web_key_set.signing <project-id>/my-signing-keys
 terraform import ory_json_web_key_set.signing my-signing-keys
 ` + "```" + `
 `
@@ -100,6 +104,15 @@ func (r *JWKResource) Schema(ctx context.Context, req resource.SchemaRequest, re
 					stringplanmodifier.UseStateForUnknown(),
 				},
 			},
+			"project_id": schema.StringAttribute{
+				Description: "The project ID. If not set, uses the provider's project_id.",
+				Optional:    true,
+				Computed:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
 			"set_id": schema.StringAttribute{
 				Description: "The ID of the JSON Web Key Set.",
 				Required:    true,
@@ -168,13 +181,31 @@ func (r *JWKResource) Create(ctx context.Context, req resource.CreateRequest, re
 		return
 	}
 
+	projectID := r.resolveProjectID(plan.ProjectID)
+	if projectID == "" {
+		resp.Diagnostics.AddError(
+			"Missing Project ID",
+			"project_id must be set either in the resource or provider configuration.",
+		)
+		return
+	}
+
+	projectClient, err := r.resolveProjectClient(ctx, projectID)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Resolving Project",
+			err.Error(),
+		)
+		return
+	}
+
 	body := ory.CreateJsonWebKeySet{
 		Alg: plan.Algorithm.ValueString(),
 		Kid: plan.KeyID.ValueString(),
 		Use: plan.Use.ValueString(),
 	}
 
-	jwks, err := r.client.CreateJsonWebKeySet(ctx, plan.SetID.ValueString(), body)
+	jwks, err := projectClient.CreateJsonWebKeySet(ctx, plan.SetID.ValueString(), body)
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error Creating JSON Web Key Set",
@@ -184,6 +215,7 @@ func (r *JWKResource) Create(ctx context.Context, req resource.CreateRequest, re
 	}
 
 	plan.ID = types.StringValue(plan.SetID.ValueString())
+	plan.ProjectID = types.StringValue(projectID)
 
 	// Serialize the keys to JSON
 	if len(jwks.Keys) > 0 {
@@ -204,9 +236,26 @@ func (r *JWKResource) Read(ctx context.Context, req resource.ReadRequest, resp *
 		return
 	}
 
-	jwks, err := r.client.GetJsonWebKeySet(ctx, state.SetID.ValueString())
+	projectID := r.resolveProjectID(state.ProjectID)
+	if projectID == "" {
+		resp.Diagnostics.AddError(
+			"Missing Project ID",
+			"project_id must be set either in the resource or provider configuration.",
+		)
+		return
+	}
+
+	projectClient, err := r.resolveProjectClient(ctx, projectID)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Resolving Project",
+			err.Error(),
+		)
+		return
+	}
+
+	jwks, err := projectClient.GetJsonWebKeySet(ctx, state.SetID.ValueString())
 	if err != nil {
-		// Check if it's a 404
 		resp.Diagnostics.AddError(
 			"Error Reading JSON Web Key Set",
 			"Could not read JWK set "+state.SetID.ValueString()+": "+err.Error(),
@@ -219,6 +268,8 @@ func (r *JWKResource) Read(ctx context.Context, req resource.ReadRequest, resp *
 		return
 	}
 
+	state.ProjectID = types.StringValue(projectID)
+
 	// Serialize the keys to JSON
 	keysJSON, err := json.Marshal(jwks)
 	if err == nil {
@@ -253,7 +304,25 @@ func (r *JWKResource) Delete(ctx context.Context, req resource.DeleteRequest, re
 		return
 	}
 
-	err := r.client.DeleteJsonWebKeySet(ctx, state.SetID.ValueString())
+	projectID := r.resolveProjectID(state.ProjectID)
+	if projectID == "" {
+		resp.Diagnostics.AddError(
+			"Missing Project ID",
+			"project_id must be set either in the resource or provider configuration.",
+		)
+		return
+	}
+
+	projectClient, err := r.resolveProjectClient(ctx, projectID)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Resolving Project",
+			err.Error(),
+		)
+		return
+	}
+
+	err = projectClient.DeleteJsonWebKeySet(ctx, state.SetID.ValueString())
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error Deleting JSON Web Key Set",
@@ -264,6 +333,39 @@ func (r *JWKResource) Delete(ctx context.Context, req resource.DeleteRequest, re
 }
 
 func (r *JWKResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
-	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("set_id"), req.ID)...)
-	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("id"), req.ID)...)
+	// Import ID format: project_id/set_id or just set_id (uses provider's project_id)
+	id := req.ID
+	var projectID, setID string
+
+	if strings.Contains(id, "/") {
+		parts := strings.SplitN(id, "/", 2)
+		projectID = parts[0]
+		setID = parts[1]
+	} else {
+		setID = id
+	}
+
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("set_id"), setID)...)
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("id"), setID)...)
+	if projectID != "" {
+		resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("project_id"), projectID)...)
+	}
+}
+
+// resolveProjectID returns the project ID from the resource attribute or falls back to the provider's project_id.
+func (r *JWKResource) resolveProjectID(tfProjectID types.String) string {
+	if !tfProjectID.IsNull() && !tfProjectID.IsUnknown() {
+		return tfProjectID.ValueString()
+	}
+	return r.client.ProjectID()
+}
+
+// resolveProjectClient returns a client configured for the given project.
+// If project_id is provided, it resolves the slug via the console API.
+// Otherwise, it falls back to the provider's project credentials.
+func (r *JWKResource) resolveProjectClient(ctx context.Context, projectID string) (*client.OryClient, error) {
+	if projectID != "" {
+		return r.client.ProjectClientForProject(ctx, projectID)
+	}
+	return r.client, nil
 }