Client Authentication
Confidential clients authenticate to the token endpoint and to PAR. Choose a method when you register (see Registering Your Application):
| Method | How | Notes |
|---|---|---|
private_key_jwt | Send a client_assertion JWT signed by your private key (client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer). | Recommended. No shared secret to leak; reuses your signing key. |
tls_client_auth | Present your client TLS certificate (mutual TLS). | Strong; also enables certificate-bound tokens (see Sender-Constrained Tokens). |
client_secret_basic | HTTP Basic header client_id:client_secret. | Simple shared-secret. |
client_secret_post | client_id + client_secret form fields. | Simple shared-secret. |
none | No client authentication. | Public clients only — must use PKCE. |
private_key_jwt Example
curl -s -X POST "$BASE/oidc/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d grant_type=authorization_code \
-d code=<authorization_code> \
-d redirect_uri=https://yourapp.example/callback \
-d client_id=$CLIENT_ID \
-d code_verifier=<code_verifier> \
-d client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
-d client_assertion=<assertion_jwt>
The client_assertion is a short-lived JWT with iss=sub=client_id, aud=the token endpoint, a unique jti, and an exp. Supported assertion signing algorithms are ES256, PS256, and RS256.