diff --git a/lib/no_way_jose/jwks/http_client.ex b/lib/no_way_jose/jwks/http_client.ex
index 5848a43..c16f526 100644
--- a/lib/no_way_jose/jwks/http_client.ex
+++ b/lib/no_way_jose/jwks/http_client.ex
@@ -6,6 +6,40 @@ defmodule NoWayJose.Jwks.HttpClient do
   a custom implementation by passing the `:http_client` option to
   `NoWayJose.start_jwks_fetcher/3`.
 
+  ## Options
+
+  The following options are supported by the default implementation:
+
+  - `:timeout` - Connection and receive timeout in milliseconds (default: 30000)
+  - `:connect_options` - Options passed to `Req`'s `:connect_options`, including:
+    - `:transport_opts` - Options for the underlying socket, such as SSL settings
+
+  ## SSL Configuration
+
+  To disable SSL certificate verification (useful for self-signed certificates
+  in development/staging environments):
+
+      NoWayJose.start_jwks_fetcher("auth0", url,
+        http_opts: [
+          connect_options: [
+            transport_opts: [verify: :verify_none]
+          ]
+        ]
+      )
+
+  To use a custom CA certificate:
+
+      NoWayJose.start_jwks_fetcher("auth0", url,
+        http_opts: [
+          connect_options: [
+            transport_opts: [
+              verify: :verify_peer,
+              cacertfile: "/path/to/ca-cert.pem"
+            ]
+          ]
+        ]
+      )
+
   ## Custom Implementation
 
   To implement a custom HTTP client:
@@ -59,8 +93,18 @@ defmodule NoWayJose.Jwks.HttpClient do
 
   defp fetch_with_req(url, opts) do
     timeout = Keyword.get(opts, :timeout, 30_000)
+    connect_options = Keyword.get(opts, :connect_options, [])
+
+    # Merge timeout into connect_options, preserving any user-provided options
+    connect_options = Keyword.put_new(connect_options, :timeout, timeout)
+
+    # Build Req options with connect_options (Req 0.5.17 doesn't support finch_options)
+    req_opts = [
+      receive_timeout: timeout,
+      connect_options: connect_options
+    ]
 
-    case Req.get(url, receive_timeout: timeout, connect_options: [timeout: timeout]) do
+    case Req.get(url, req_opts) do
       {:ok, %{status: 200, body: body}} when is_binary(body) ->
         {:ok, body}
 
diff --git a/test/no_way_jose_test.exs b/test/no_way_jose_test.exs
index 742bab7..ceaffdd 100644
--- a/test/no_way_jose_test.exs
+++ b/test/no_way_jose_test.exs
@@ -586,6 +586,19 @@ defmodule NoWayJoseTest do
     end
   end
 
+  # ============================================================
+  # HTTP Client tests
+  # ============================================================
+
+  describe "Jwks.HttpClient" do
+    @tag :integration
+    test "passes connect_options through to Req" do
+      opts = [connect_options: [transport_opts: [verify: :verify_none]]]
+      assert {:ok, body} = NoWayJose.Jwks.HttpClient.fetch("https://httpbin.org/get", opts)
+      assert is_binary(body)
+    end
+  end
+
   # ============================================================
   # Helper functions
   # ============================================================