diff --git a/internal/regofunc/did_resolver_test.go b/internal/regofunc/did_resolver_test.go
index 24155722f1e6fc8f4e8e16038c0e2134675af215..93b3b24467da7fe1592f532e5acc1394483eb26a 100644
--- a/internal/regofunc/did_resolver_test.go
+++ b/internal/regofunc/did_resolver_test.go
@@ -26,6 +26,7 @@ func TestResolveFunc(t *testing.T) {
 	r := rego.New(
 		rego.Query(`did.resolve("did:indy:idunion:BDrEcHc8Tb4Lb2VyQZWEDE")`),
 		rego.Function1(DIDResolverFuncs.ResolveFunc()),
+		rego.StrictBuiltinErrors(true),
 	)
 	resultSet, err := r.Eval(context.Background())
 	assert.NoError(t, err)
diff --git a/internal/regofunc/pubkeys_test.go b/internal/regofunc/pubkeys_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..5e984d6b1f3b69f0b88f750f2e34beeccc35fc4f
--- /dev/null
+++ b/internal/regofunc/pubkeys_test.go
@@ -0,0 +1,77 @@
+package regofunc_test
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/open-policy-agent/opa/rego"
+	"github.com/stretchr/testify/assert"
+
+	"code.vereign.com/gaiax/tsa/policy/internal/regofunc"
+)
+
+func TestGetKeyFunc(t *testing.T) {
+	expected := `{"key1":"key1 data"}`
+	signerSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = fmt.Fprint(w, expected)
+	}))
+	defer signerSrv.Close()
+
+	keysFuncs := regofunc.NewPubkeyFuncs(signerSrv.URL, http.DefaultClient)
+	r := rego.New(
+		rego.Query(`keys.get("key1")`),
+		rego.Function1(keysFuncs.GetKeyFunc()),
+		rego.StrictBuiltinErrors(true),
+	)
+	resultSet, err := r.Eval(context.Background())
+	assert.NoError(t, err)
+
+	resultBytes, err := json.Marshal(resultSet[0].Expressions[0].Value)
+	assert.NoError(t, err)
+	assert.Equal(t, expected, string(resultBytes))
+}
+
+func TestGetKeyFuncError(t *testing.T) {
+	signerSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer signerSrv.Close()
+
+	keysFuncs := regofunc.NewPubkeyFuncs(signerSrv.URL, http.DefaultClient)
+	r := rego.New(
+		rego.Query(`keys.get("key1")`),
+		rego.Function1(keysFuncs.GetKeyFunc()),
+		rego.StrictBuiltinErrors(true),
+	)
+	resultSet, err := r.Eval(context.Background())
+	assert.Nil(t, resultSet)
+	assert.Error(t, err)
+
+	expectedError := `keys.get("key1"): eval_builtin_error: keys.get: unexpected response from signer: 404 Not Found`
+	assert.Equal(t, expectedError, err.Error())
+}
+
+func TestGetAllKeysFunc(t *testing.T) {
+	expected := `[{"key1":"key1 data"},{"key2":"key2 data"}]`
+	signerSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = fmt.Fprint(w, expected)
+	}))
+	defer signerSrv.Close()
+
+	keysFuncs := regofunc.NewPubkeyFuncs(signerSrv.URL, http.DefaultClient)
+	r := rego.New(
+		rego.Query(`keys.getAll()`),
+		rego.FunctionDyn(keysFuncs.GetAllKeysFunc()),
+		rego.StrictBuiltinErrors(true),
+	)
+	resultSet, err := r.Eval(context.Background())
+	assert.NoError(t, err)
+
+	resultBytes, err := json.Marshal(resultSet[0].Expressions[0].Value)
+	assert.NoError(t, err)
+	assert.Equal(t, expected, string(resultBytes))
+}
diff --git a/internal/service/policy/service.go b/internal/service/policy/service.go
index 7e2cebffbf44f10c99c59cf009d33d1429f61b52..605722b503e732b0e9829470ec00b8951991719a 100644
--- a/internal/service/policy/service.go
+++ b/internal/service/policy/service.go
@@ -224,9 +224,10 @@ func (s *Service) prepareQuery(ctx context.Context, group, policyName, version s
 }
 
 func (s *Service) buildRegoArgs(filename, regoPolicy, regoQuery, regoData string) (availableFuncs []func(*rego.Rego), err error) {
-	availableFuncs = make([]func(*rego.Rego), 2)
+	availableFuncs = make([]func(*rego.Rego), 3)
 	availableFuncs[0] = rego.Module(filename, regoPolicy)
 	availableFuncs[1] = rego.Query(regoQuery)
+	availableFuncs[2] = rego.StrictBuiltinErrors(true)
 	extensions := regofunc.List()
 	for i := range extensions {
 		availableFuncs = append(availableFuncs, extensions[i])