This article will describe how to get an access token with a Private Key JSON Web Token (JWT).

• Private Key JSON Web Token (JWT)

1. Generate RSA Key Pair
2. In the Auth0 Dashboard's app, add the public PEM key as a credential for Private Key JWT. See Configure Private Key JWT Authentication for detailed steps.
3. Using jwt.io (for testing purposes, do not use this for production), create a JWT with the following values, replacing anything in <> with the correct value:
   

   //header
   {
     "alg": "RS256",
     "typ": "JWT",
     "kid": "<KEY_ID>"
   }
   
   //payload
   {
     "sub": "<CLIENT_ID>",
     "jti": "<RANDOMLY_GENERATED_UUID>",
     "iss": "<CLIENT_ID>",
     "aud": "<TENANT_DOMAIN>/oauth/token",
     "exp": <EXP_VALUE>
   }
   
   //signature - public key & private key from step 1
   //public key
   -----BEGIN PUBLIC KEY-----
   <PUBLIC KEY>
   -----END PUBLIC KEY-----
   
   //private key
   -----BEGIN PRIVATE KEY-----
   <PRIVATE KEY>
   -----END PRIVATE KEY-----

• • kid - The KeyID Auth0 creates when the public key is added to the application's credential settings.
  • sub and iss - the app's client ID.
  • jti - A random UUID.
  • exp - The epoch/unix timestamp of when it will expire - has to be less than 5 minutes.
  • aud - `domain + /oauth/token`.

4. Then use the JWT in this CURL request to receive an access token:
   

   curl --location --request POST 'https://<TENANT_DOMAIN>/oauth/token' \
     --header 'Content-Type: application/x-www-form-urlencoded' \
     --data-urlencode 'grant_type=client_credentials' \
     --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
     --data-urlencode 'client_assertion=YOUR_JWT’ \
     --data-urlencode 'audience=https://<TENANT_DOMAIN>/api/v2/'

Related References

• Authenticate with Private Key JWT