When using Angular 14 with the Auth0 Angular SDK, obtaining a token using getAccessTokenSilently and using this access token in an application generates the following error:

error : "invalid_token" error_description : "Invalid JOSE Header kid (xnNEyhXArlnU_oUgEzLpP)"

• Angular 14
• Auth0 Angular SDK
• getAccessTokenSilently

The kid claim is an optional header claim used to specify the key for validating the signature when using RS256 as the signing algorithm.

The kid claim is not present if using HS256 as the signing algorithm. This means the same key generates and validates the signature. This key must be kept confidential and shared only by parties that need it for validating a JSON Web Token (JWT).

If using RS256, the kid claim is included in the header so that the corresponding public key for the private key used to generate the signature is identified from the list of public keys available in the JSON Web Key Set (JWKS) endpoint. This is particularly useful during key rotation.

This error occurs when there is a mismatch between the signing algorithm registered for the application and the algorithm the application is configured to use.

1. Verify the registered signing algorithm for the application.

2. Ensure the application configuration matches the registered signing algorithm.