Private Key JWT Client Authentication is an authentication method that can be used by clients to authenticate to the authorization server when using the token endpoint. In this authentication mechanism, only the clients that have registered a public key, signed a JWT using that key, can authenticate.

The JWT must contain some REQUIRED claim values and may contain some OPTIONAL claim values. For more information on the required and optional claim values needed for the JWT for private_key_jwt authentication, click here.

Well you can find a descriptive documentation from [1] on how WSO2 Identity server supports JWT client authentication. From WSO2 documentation you will be guided to setup JWT client authentication. From this article I will guide you to build a valid private JWT in order to use in the token request as a client.

As per the guide [1] you will be creating a private key and a public key. Let me extract relevant keytool commands again. Here I have used <client_ID> for the places which needs to be replaced from your client_id of the OAuth2 application. Once you execute first command you will be prompted to enter few inputs. (organization name, name and stuff). Here the CN you enter is important for next steps. Hence keep a note of it . I have added “hasintha” as my CN in the certificate.


You will be getting quite a few files once you finish above steps. ie executing above commands. Below is a list.

If I open up the content of my private key — privatekey.pem (of course don’t expose it !! But I will be exposing it just to show you) you may see the content as following.

Now you have almost everything required for generating a JWT for client authentication except the actual content of the JWT.

The content of the JWT will be like following. First part elaborates an actual JWT which I used for authentication and the second part describes the content.

Now you are all set to generate JWT. Launch your browser to and copy and paste your header and body of the JWT in respective places given in webpage. Also you need to copy and paste the content of your private key also in the page. (Starting from “ — — -BEGIN PRIVATE KEY — — -” and ended with “ — — -END PRIVATE KEY — — -”). At the left side you can observe the signed JWT. That’s it. Now you have to follow the documentation and send out a token request.