Sadha Moodley
2 min readApr 29, 2024

Private Key JWT Authentication

Image by https://wepik.com/ AI image generator

Client Secret is a popular authentication method that requires the secret to be shared because the same secret is used to create and to verify the token. The secret needs to be passed on every token generation request which could lead to the secret being compromised.

Secret key token generation Image from https://pragmaticwebsecurity.com/articles/apisecurity/

With private key JWT Authentication, the client creates a public private key pair which is used as credentials. The client only shares the public key with the authorization server once. To request a token, the client creates an assertion using its private key (which never leaves the client) and then makes a call to the token endpoint with this assertion.

Below is a summary of how private key authentication can be setup:

  1. Initial once off setup steps

Notes

1) The client generates a public and private key pair using something like Open SSL or AWS KMS. https://www.geeksforgeeks.org/how-to-create-a-public-private-key-pair/

2) The public key is shared with the authorization server

3) The client’s public key is saved in the authorization server and used for any token requests by that client.

2. Token generation steps

Notes

1) The client needs to create an assertion using their private key. The following claims are required in the assertion, the assertion is in JWT format.

  • iss: This is the client ID
  • sub: This is also the client ID because it is created by the client
  • aud: This is the authorization server endpoint
  • jti: This is a unique identifier for the token
  • exp: This is to set how long the token is valid for

2) A call is made to the token endpoint of the authorization server and the assertion is passed in the call

3) The authorization server uses the client’s public key to validate the assertion and then generates a JWT if the validation passes.

https://www.linkedin.com/in/sadha-moodley/