> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to encrypt access tokens using JSON Web Encryption.

# JSON Web Encryption

JSON Web Encryption (JWE) is an [IETF standard](https://datatracker.ietf.org/doc/html/rfc7516) for representing encrypted content using JSON. In Auth0, you can configure APIs to encrypt the details inside an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> using the JWE format.

When JWE is used, Auth0 generates a <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> access token containing a set of claims that are signed using JSON Web Signature (JWS). This JWT access token is then encrypted using JWE and serialized using the JWE Compact format. This allows solutions to maintain the confidentiality of data within the access tokens' claims while also ensuring integrity protection using a signature.

#### Generate and validate an access token

[Configure JWE for each API](/docs/get-started/apis/configure-json-web-encryption). Assuming you have configured the `apiIdentifier` to use JWE, the code sample requests an encrypted access token via the client credentials grant for a machine-to-machine (M2M) application. JWE is available for all grant types supported by Auth0.

```bash lines theme={null}
curl -X POST --location "https://{domain}/oauth/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "client_id={clientId}&client_secret={clientSecret}&audience={apiIdentifier}&grant_type=client_credentials"
```

 A successful response contains an encrypted access token:

```json lines theme={null}
{
  "access_token": "eyJ…XAw",
  "expires_in": 86400,
  "token_type": "Bearer"
}
```

When the access token is used, the <Tooltip tip="Resource Server: Server hosting protected resources. Resource servers accept and respond to protected resource requests." cta="View Glossary" href="/docs/glossary?term=resource+server">resource server</Tooltip> must decrypt and validate the JWE token.
The JWE token header contains metadata that describes the cryptographic algorithm ([`alg`](https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.1)), the content encryption algorithm ([`enc`](https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.2)), and, if provided when [configuring the API](/docs/get-started/apis/configure-json-web-encryption), the key id (`kid`) that were used to encrypt the payload.

```json lines theme={null}
{
  …
  "alg": "A256GCM",
  "enc": "RSA-OAEP-256",
  "kid": "my-kid"
}
```

Using this information, the resource server should be able to decrypt the JWE token. The result is a regular signed JWT, which can be verified using the Auth0’s tenant keys.

To learn how to configure JWE for your API, read [Configure JSON Web Encryption](/docs/get-started/apis/configure-json-web-encryption).

## Learn more

* [Configure JSON Web Encryption (JWE)](/docs/get-started/apis/configure-json-web-encryption)