JSON Web Encryption

JSON Web Encryption (JWE) is an IETF standard for representing encrypted content using JSON. In Auth0, you can configure APIs to encrypt the details inside an access token using the JWE format. 

When JWE is used, Auth0 generates a JWT access token containing a set of claims that are signed using JSON Web Signature (JWS). This JWT access token is then encrypted using JWE and serialized using the JWE Compact format. This allows solutions to maintain the confidentiality of data within the access tokens' claims while also ensuring integrity protection using a signature.

Configure JWE for each API. Assuming you have configured the apiIdentifier to use JWE, the code sample requests an encrypted access token via the client credentials grant for a machine-to-machine (M2M) application. JWE is available for all grant types supported by Auth0.

curl -X POST --location "https://{domain}/oauth/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "client_id={clientId}&client_secret={clientSecret}&audience={apiIdentifier}&grant_type=client_credentials"

 A successful response contains an encrypted access token:

{
  "access_token": "eyJ…XAw",
  "expires_in": 86400,
  "token_type": "Bearer"
}

When the access token is used, the resource server must decrypt and validate the JWE token. The JWE token header contains metadata that describes the cryptographic algorithm (alg), the content encryption algorithm (enc), and, if provided when configuring the API, the key id (kid) that were used to encrypt the payload. 

{
  …
  "alg": "A256GCM",
  "enc": "RSA-OAEP-256",
  "kid": "my-kid"
}

Using this information, the resource server should be able to decrypt the JWE token. The result is a regular signed JWT, which can be verified using the Auth0’s tenant keys.

To learn how to configure JWE for your API, read Configure JSON Web Encryption.

• Configure JSON Web Encryption (JWE)