Configure JWT-secured Authorization Requests (JAR)

Prerequisites

Before configuring your application for JAR, generate an RSA key pair and upload the public key to Auth0 in PEM format for your application. You can do it via the Management API as follows:

curl --location 'https://$tenant/api/v2/clients/$client_id/credentials' \
--header 'Authorization: Bearer $management_access_token' \
--header 'Content-Type: application/json' \
--data '{
  "name": "My credentials for JAR",
  "credential_type": "public_key",
  "pem": "[YOUR PEM FILE CONTENT]",
  "alg": "RS256"
}'

Was this helpful?

/

A credential ID will be returned upon creation with the cred_ prefix. Save your credential ID and kid to configure JAR. The kid will be used in your JWT header.

Configure JAR for your application

You can configure JAR for your application using the signed_request_object client configuration property. This object property contains the following fields:

You can configure JAR for a new application or for an existing application via the Management API.

Configure JAR for a new application

When you create a new application, configure JAR by sending a POST request with the signed_request_object. In that POST request, you can also register the corresponding client credential (i.e. the key PEM):

POST https://{yourTenant}.auth0.com/api/v2/clients
Authorization: Bearer [YOUR ACCESS TOKEN]
Content-Type: application/json
{
  "name": "My App using JAR",
  "signed_request_object": {
      "required: true,
"credentials": [{
        "name": "My credential for JAR",
        "credential_type": "public_key",
        "pem": "[YOUR PEM FILE CONTENT]",
        "alg": "RS256"
}]
  },
  "jwt_configuration": {
    "alg": "RS256"
  }
}

Was this helpful?

/

Configure JAR for an existing application

When updating an existing application, you need to explicitly create a client credential first. The following POST request uses your PEM file content to create your client credentials for JAR:

to configure this snippet with your account
POST https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}/credentials
Authorization: Bearer [YOUR ACCESS TOKEN]
Content-Type: application/json
{
  "name": "My credentials for JAR",
  "credential_type": "public_key",
  "pem": "[YOUR PEM FILE CONTENT]",
  "alg": "RS256"
}

Was this helpful?

/

Then, assign the client credential to the signed_request_object client configuration. The following PATCH request associates your client credentials with the signed_request_object:

PATCH https://your_tenant.auth0.com/api/v2/clients/your_client
Authorization: Bearer [YOUR ACCESS TOKEN]
Content-Type: application/json
{
"signed_request_object": {
"credentials": [{"id": "[YOUR CREDENTIAL ID]"}]
}
}

Was this helpful?

/

Learn more