Configure Private Key JWT Authentication

Private Key JWT Authentication supports OIDC Connect Core Client Authentication 1.0 client authentication using JWT assertions signed with asymmetric key pairs. You can create a new application to use  private_key_jwt or enable existing applications to use private key pairs for authentication.

Prerequisite

Generate a key pair

To configure an application that authenticates using Private Key JWT, generate an RSA key pair.

When you register the public key with Auth0, you must provide the public key encoded in PEM format. You may provide this as an X.509 certificate encoded in PEM format. Auth0 enforces a minimum RSA key size of 2048 bits and a maximum key size of 4096 bits. We recommend using openssl to generate a 2048 bit RSA key pair.

  1. Generate a private key and a public key in PEM. You should safeguard the private key and never share it, not even with Auth0. openssl genrsa -out test_key.pem 2048

  2. Extract the public key in PEM format using the following command. This command extracts the public key details so it can be safely shared without revealing the details of the private key. openssl rsa -in test_key.pem -outform PEM -pubout -out test_key.pem.pub The example below shows the contents of the test_key.pem.pub PEM file:

    ----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA53VzmIVVZZWyNm266l82
    mnoDc9g/snXklax5kChEhqK/WnTUvuXP4Gd4THj8rchxgUGKXd4PF3SUcKyn/qPm
    Tet0idVHk2PwP//FOVgYo5Lb04js0pgZkbyB/WjuMp1w+yMuSn0NYAP7Q9U7DfTb
    jmox8OQt4tCB4m7UrJghGqT8jkPyZO/Ka6/XsyjTYPOUL3t3PD7JShVAgo1mAY6g
    Sr4SORywIiuHsg+59ad7MXGy78LirhtqAcDECKF7VZpxMuEjMLg3o2yzNUeWI2Mg
    IF+t0HbO1E387fvLcuSyai1yWbSr1PXyiB2aXyDpbD4u7d3ux4ahU2opH11lBqvx
    +wIDAQAB
    -----END PUBLIC KEY-----

    Was this helpful?

    /

  3. Save the key contents. You will need the PEM contents in other configuration steps.

Configure Private Key JWT

You can use the Auth0 Dashboard to create a new application and configure the credentials or update an existing application.

We recommend you securely store the current client_secret parameter before you set your application credential method to Private Key JWT. The client_secret parameter will be hidden once the Private Key JWT configuration is complete.

Configure a new application for private_key_jwt

  1. Navigate to Auth0 Dashboard > Applications > Application.

  2. Select Create Application.

  3. Choose your application type.

  4. Under the application settings, select the Credentials tab.

  5. Under Authentication Methods, select Private Key JWT.

    Configure Private Key JWT Authentication - Auth0 Dashboard instructions

  6. Configure credential details: 

    1. Enter a name for the credential.

    2. Upload your PEM format or X.509 certificate.

    3. Select the algorithm to sign the assertions.

    4. Optional: Enable custom expiration. Select Set an explicit expiry date for this Credential and set a future date.

      Dashboard - applications - application settings - credentials

  7. Select Add Credential.

Configure an existing application

  1. Navigate to Auth0 Dashboard > Applications.

  2. Select the application you want to update.

  3. Select the Credentials tab.

  4. Choose Private Key JWT.

  5. Configure credential details: 

    1. Enter a name for the credential.

    2. Upload your PEM format or X.509 certificate.

    3. Select the algorithm to sign the assertions.

    4. Optional: Enable custom expiration. Select Set an explicit expiry date for this Credential and set a future date.

  6. Select Add Credential.

Configure an application to use Client Secret authentication

  1. Navigate to Auth0 Dashboard > Applications > Applications and select the application you want to update.

  2. Select the Credentials tab.

  3. Choose Client Secret (Post) or Client Secret (Basic).

  4. Select Save.

Update credential expiration

You can update an existing credential with an expiration date with Auth0 Dashboard.

  1. Navigate to Auth0 Dashboard > Applications > Applications and select the application you want to update.

  2. Select the Credentials tab.

  3. Choose the credential you want to update and select Edit Credential.

    Dashboard - Applications - Application Settings - Credentials - update expiry date

  4. Select Set an explicit expiry date for this Credential and set a future date.

  5. Select Update Credential.

Credential limits

Auth0 enforces a minimum RSA key size of 2048 bits and a maximum key size of 4096 bits. Applications can have a maximum of two credentials configured.

Rotate credentials

To prevent leaked keys, Auth0 recommends you periodically rotate the key pair. To learn how, read Rotate Credentials.

Learn more