Skip to main content
Version: v2.0 (latest)

Client Authentication

Confidential clients authenticate to the token endpoint and to PAR. Choose a method when you register (see Registering Your Application):

MethodHowNotes
private_key_jwtSend a client_assertion JWT signed by your private key (client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer).Recommended. No shared secret to leak; reuses your signing key.
tls_client_authPresent your client TLS certificate (mutual TLS).Strong; also enables certificate-bound tokens (see Sender-Constrained Tokens).
client_secret_basicHTTP Basic header client_id:client_secret.Simple shared-secret.
client_secret_postclient_id + client_secret form fields.Simple shared-secret.
noneNo client authentication.Public clients only — must use PKCE.

private_key_jwt Example

curl -s -X POST "$BASE/oidc/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d grant_type=authorization_code \
-d code=<authorization_code> \
-d redirect_uri=https://yourapp.example/callback \
-d client_id=$CLIENT_ID \
-d code_verifier=<code_verifier> \
-d client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
-d client_assertion=<assertion_jwt>

The client_assertion is a short-lived JWT with iss=sub=client_id, aud=the token endpoint, a unique jti, and an exp. Supported assertion signing algorithms are ES256, PS256, and RS256.