Private Key JWT is available for customers on the Enterprise plan. To upgrade, contact Auth0 pricing.
Private Key Authentication supports OIDC Connect Core Client Authentication 1.0 client authentication using JWT assertions signed with asymmetric key pairs. You can create a new application to use private_key_jwt or enable existing applications to use private key pairs for authentication.

Prerequisites

Before configuring an application that authenticates using Private Key JWT, you must generate an RSA key pair.

Configure Private Key JWT

You can use the Auth0 Dashboard to create a new application and configure the credentials or update an existing application.We recommend you securely store the current client_secret parameter before you set your application credential method to Private Key JWT. The client_secret parameter will be hidden once the Private Key JWT configuration is complete.

Configure a new application for private_key_jwt

  1. Navigate to Auth0 Dashboard > Applications > Application.
  2. Select Create Application.
  3. Choose your application type.
  4. Under the application settings, select the Credentials tab.
  5. Under Authentication Methods, select Private Key JWT.
    Configure Private Key JWT Authentication - Auth0 Dashboard instructions
  6. Configure credential details:
    1. Enter a name for the credential.
    2. Upload your PEM format or X.509 certificate.
    3. Select the algorithm to sign the assertions.
    4. Optional: Enable custom expiration. Select Set an explicit expiry date for this Credential and set a future date.
      You may receive an invalid certificate error if you are submitting an malformed key material, to avoid any issues it’s best to upload the file directly created by openssl.
  7. Select Add Credential.

Configure an existing application

  1. Navigate to Auth0 Dashboard > Applications.
  2. Select the application you want to update.
  3. Select the Credentials tab.
  4. Choose Private Key JWT.
  5. Configure credential details:
    1. Enter a name for the credential.
    2. Upload your PEM format or X.509 certificate.
    3. Select the algorithm to sign the assertions.
    4. Optional: Enable custom expiration. Select Set an explicit expiry date for this Credential and set a future date.
  6. Select Add Credential.

Configure an application to use Client Secret authentication

  1. Navigate to Auth0 Dashboard > Applications > Applications and select the application you want to update.
  2. Select the Credentials tab.
  3. Choose Client Secret (Post) or Client Secret (Basic).
  4. Select Save.

Update credential expiration

You can update an existing credential with an expiration date with Auth0 Dashboard.
  1. Navigate to Auth0 Dashboard > Applications > Applications and select the application you want to update.
  2. Select the Credentials tab.
  3. Choose the credential you want to update and select Edit Credential.
    Dashboard - Applications - Application Settings - Credentials - update expiry date
  4. Select Set an explicit expiry date for this Credential and set a future date.
  5. Select Update Credential.

Credential limits

Auth0 enforces a minimum RSA key size of 2048 bits and a maximum key size of 4096 bits. Applications can have a maximum of two credentials configured.

Rotate credentials

To prevent leaked keys, Auth0 recommends you periodically rotate the key pair. To learn how, read Rotate Credentials.

Learn more