Create the client secret JWT and private key JWT

Edit online

Use the information in this topic to create a client secret JWT and private key JWT for client authentication.

JWT bearer payload claims

The JWT bearer payload must contain the following claims:
Table 1. MUST claims
Claim name Description Valid values
iss Unique identifier for entity that issued the JWT The client ID.
sub Principal subject identifier The client ID.
aud The valid value is authorization server's issuer as published in the well-known endpoint (https://<tenantId>/oidc/endpoint/default/.well-known/openid-configuration). https://<tenantId>/oidc/endpoint/default
exp JWT expiration time The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
Note: The JWT expiration time cannot be more 86400 seconds in the future.
jti JWT identifier A randomly generated opaque string.
The JWT bearer payload might contain the following claims:
Table 2. MAY claims
Claim name Description Valid values
nbf JWT not before time The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
iat JWT creation time The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
Note: The JWT creation time cannot be more 86400 seconds in the past.

JWT payload example

```
{
  "iss": "29e81c80-b507-463c-b542-5a1177b37808",
  "sub": "29e81c80-b507-463c-b542-5a1177b37808",
  "aud": "https://sometenant.ice.com/oidc/endpoint/default/token",
  "exp": 1324298520,
  "jti": "araiov8werli2awerlj"
}
```

Supported algorithms

Table 3. Supported algorithms
Purpose Supported algorithms
JWS 'alg' for Signing 'RS256', 'RS384', 'RS512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512
The JWT must be signed. Ensure that whatever key is used to sign the JWT is published in the jwks_uri. If the jwks_uri is not available, then add the public certificate into the system. See Managing certificates.

Ensure that the signed JWT includes the `kid` header to uniquely identify the key that is used.

Request example

After the JWT token is created, a request can be submitted to the token endpoint by using that JWT as the client assertion..
```
curl -ki https://<tenantId>/v1.0/endpoint/default/token
 -d "grant_type=password&client_id=87df91dc-63de-4765-8701-b59cc8bd9e11&scope=openid
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=eyJhbGci..."
```

The client_assertion_type must always be urn:ietf:params:oauth:client-assertion-type:jwt-bearer.