diff --git a/docs/README.md b/docs/README.md
index 7838ecc72b..a45bae495b 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -680,6 +680,7 @@ specified by the parameters are first.
   - `crv`: `<string>` Key Curve to filter for. (for EC and OKP keys)
   - `alg`: `<string>` Key supported algorithm to filter for.
   - `kid`: `<string>` Key ID to filter for.
+  - `thumbprint`: `<string>` JWK Key thumbprint to filter for.
   - `use`: `<string>` Filter keys with the specified use defined. Keys missing "use" parameter will
     be matched but rank lower then ones with an exact match.
   - `key_ops`: `string[]` Filter keys with specified key_ops defined (if key_ops is defined on the
@@ -701,6 +702,7 @@ parameters is returned.
   - `crv`: `<string>` Key Curve to filter for. (for EC and OKP keys)
   - `alg`: `<string>` Key supported algorithm to filter for.
   - `kid`: `<string>` Key ID to filter for.
+  - `thumbprint`: `<string>` JWK Key thumbprint to filter for.
   - `use`: `<string>` Filter keys with the specified use defined. Keys missing "use" parameter will
     be matched but rank lower then ones with an exact match.
   - `key_ops`: `string[]` Filter keys with specified key_ops defined (if key_ops is defined on the
diff --git a/lib/jwks/keystore.js b/lib/jwks/keystore.js
index 39110a82ad..dc24c4caae 100644
--- a/lib/jwks/keystore.js
+++ b/lib/jwks/keystore.js
@@ -51,7 +51,7 @@ class KeyStore {
     i(this).keys = new Set(keys)
   }
 
-  all ({ alg, kid, use, kty, key_ops: ops, x5t, 'x5t#S256': x5t256, crv } = {}) {
+  all ({ alg, kid, thumbprint, use, kty, key_ops: ops, x5t, 'x5t#S256': x5t256, crv } = {}) {
     if (ops !== undefined && (!Array.isArray(ops) || !ops.length || ops.some(x => typeof x !== 'string'))) {
       throw new TypeError('`key_ops` must be a non-empty array of strings')
     }
@@ -65,6 +65,10 @@ class KeyStore {
           candidate = false
         }
 
+        if (candidate && thumbprint !== undefined && key.thumbprint !== thumbprint) {
+          candidate = false
+        }
+
         if (candidate && x5t !== undefined && key.x5t !== x5t) {
           candidate = false
         }
diff --git a/test/jwks/keystore.test.js b/test/jwks/keystore.test.js
index 888e62d89b..625e69f9a1 100644
--- a/test/jwks/keystore.test.js
+++ b/test/jwks/keystore.test.js
@@ -169,6 +169,15 @@ test('.all() and .get() kid filter', t => {
   t.is(ks.get({ kid: 'foobar' }), k)
 })
 
+test('.all() and .get() thumbprint filter', t => {
+  const k = generateSync('RSA')
+  const ks = new KeyStore(k)
+  t.deepEqual(ks.all({ thumbprint: 'baz' }), [])
+  t.deepEqual(ks.all({ thumbprint: k.thumbprint }), [k])
+  t.is(ks.get({ thumbprint: 'baz' }), undefined)
+  t.is(ks.get({ thumbprint: k.thumbprint }), k)
+})
+
 test('.all() and .get() x5t filter and sort', t => {
   const k = asKey(withX5C)
   const ks = new KeyStore(k)
diff --git a/types/index.d.ts b/types/index.d.ts
index df330cfe07..ba5639ba15 100644
--- a/types/index.d.ts
+++ b/types/index.d.ts
@@ -193,6 +193,7 @@ export namespace JWKS {
     x5t?: string;
     'x5t#S256'?: string;
     crv?: string;
+    thumbprint?: string;
   }
 
   class KeyStore {