To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
By default, Auth0 issues that are formatted as a signed JSON Web Token (JWT), meaning that while they are integrity protected, clients and other intermediaries can still inspect them. This can lead to a loss of information privacy on data intended only to be exposed to a . To prevent unauthorized inspection of access tokens, Auth0 supports the use of nested access tokens, where access information is signed in a JWT and then encrypted and represented with JSON Web Encryption (JWE). Resource servers are expected to both decrypt these access tokens and verify the signature of the JWT payload while the information is opaque to any other parties.

Generate RSA key pair

Before configuring an API to use JWE, you must generate an RSA key pair. The private key must be kept secret. Upload the public key to Auth0 encoded in PEM format as described in Generate RSA Key Pair. Only the resource server or API server can securely access the private key to decrypt the access token.

Configure JWE for an API

Use the Auth0 Dashboard to configure JWE for your API. To begin, enable the JSON Web Encryption (JWE) toggle under Token Settings for your API.
When prompted, add a JSON Web Encryption (JWE) key:
  • Enter a friendly name for easy identification.
  • Upload a certificate with the public key encoded in PEM format.
  • Select the encryption algorithm.
  • (Optional) Enter a key identifier.
Click Add to save the JWE key, which will generate a thumbprint of the certificate.

Learn more