auth0 · avanscoy · Apr 20, 2026 · Apr 24, 2026
@@ -2,12 +2,6 @@
 description: Learn how to implement Private Key JWT Client Authentication for your enterprise connections.
 title: Private Key JWT Client Authentication for Okta and OIDC Connections
 ---
-<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
-
-Private Key JWT Client Authentication for OpenID Connect (OIDC) and Okta Workforce connections is currently available in [Early Access](/docs/troubleshoot/product-lifecycle/product-release-stages). By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/).
-
-</Callout>
-
 Private Key <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> Client Authentication is an alternative method of client authentication for <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect (OIDC) and Okta Workforce enterprise connections. While client authentication is most commonly handled by passing a shared <Tooltip tip="Client Secret: Secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable." cta="View Glossary" href="/docs/glossary?term=client+secret">client secret</Tooltip>, Private Key JWT Client Authentication instead passes a signed JWT for improved application security.
 
 By using this feature, you can avoid some common security shortcomings often seen with standard client secret authentication, such as:
@@ -75,7 +69,7 @@ You can configure OIDC and Okta Workforce enterprise connections to use Private
 <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
 
 * Private and public signing key pairs are automatically generated by Auth0 per connection.
-* You can currently only use the RS256 algorithm for signing client assertion JWTs.
+* You can use the following algorithms to sign client assertion JWTs: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, and `ES384` for Okta and OIDC Enterprise connections. Defaults to `RS256` if not specified.
 * Signed JWTs expire automatically after 60 seconds.
 
 </Callout>
@@ -84,12 +78,6 @@ You can configure OIDC and Okta Workforce enterprise connections to use Private
 
 You can use the Auth0 Dashboard to configure Private Key JWT Client Authentication for both new and existing OIDC and Okta Workforce connections.
 
-<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
-
-If your custom OIDC connection uses an IdP that does not advertise support for back-channel communication or `private_key_jwt` as a client authentication method in its metadata, you will not be able to set up Private Key JWT Client Authentication through the Auth0 Dashboard.
-
-</Callout>
-
 <Tabs><Tab title="New Connection">
 
 1. On your Auth0 Dashboard, navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise).
@@ -110,7 +98,7 @@ If your custom OIDC connection uses an IdP that does not advertise support for b
 
    * Set **Communication Channel** to **Back Channel**.
    * Set **Authentication Method** to **Private Key JWT**.
-5. Select **Save** at the bottom of the screen.
+5. Select **Save**.
 6. On the confirmation popup, select **Change** to implement your modifications.
 
 </Tab></Tabs>
@@ -126,8 +114,10 @@ To create a new OIDC connection that uses Private Key JWT Client Authentication,
 | Property | Description |
 | --- | --- |
 | `type` | Set this property to `back_channel`. |
-| `token_endpoint_auth_method` | Set this property to `private_key_jwt`.<br/><br/>**Notes:**<ul><li> By default, this property is set to `client_secret_post`. </li><li>Errors may occur if this property is set to a value other than `private_key_jwt` or `client_secret_post`.</li></ul> |
-| `token_endpoint_auth_signing_alg` | Set this property to `RS256`.<br/><br/>**Notes:** <ul><li>This feature does not currently support additional algorithms.</li><li>Omitting this property will default its value to `RS256`.</li></ul> |
+| `token_endpoint_auth_method` | Authentication method used at the identity provider's token endpoint. Set to `private_key_jwt` to use a signed JWT assertion for enhanced security, or `client_secret_post` to send credentials in the request body. Defaults to `token-endpoint`. Applicable to `oidc` and `okta` strategies only. |
+| `token_endpoint_auth_signing_alg` | Optional. Algorithm used to sign client assertions. Accepted values: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, `ES384`. Defaults to `RS256` if not set. Applicable to `oidc` and `okta` strategies only. |
+| `id_token_signed_response_algs` | Optional. List of algorithms allowed to verify ID tokens issued by the identity provider. When set, Auth0 rejects ID tokens signed with any algorithm not in this list. Accepted values: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, `ES384`. If not set, Auth0 accepts ID tokens signed with any supported algorithm. Applicable to `oidc` and `okta` strategies only. |
+| `token_endpoint_jwtca_aud_format` | Optional. Specifies the format of the `aud` (audience) claim in the JWT used for client authentication at the token endpoint. Set to `issuer` to use the OIDC issuer URL, or `token_endpoint` to use the token endpoint URL. |
 
 **Example POST call**
 
@@ -139,25 +129,24 @@ POST /api2/connections
   options: {
     type: "back_channel",
     token_endpoint_auth_method: "private_key_jwt",
-    token_endpoint_auth_signing_alg: "RS256"
+    token_endpoint_auth_signing_alg: "RS256",
+    id_token_signed_response_algs: ["RS256", "RS384"]
   },
   …
 }
 ```
 
-
-
-
-
-
 </Tab><Tab title="Existing Connection">
 
 To modify an existing OIDC connection to use Private Key JWT Client Authentication, call the [Update a Connection](https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id) endpoint with the following `connection.options` properties set appropriately:
 
 | Property | Description |
 | --- | --- |
 | `type` | Set this property to `back_channel`. |
-| `token_endpoint_auth_method` | Set this property to `private_key_jwt`.<br/><br/>**Notes:** <ul><li> Errors may occur if this property is set to a value other than `private_key_jwt` or `client_secret_post`. </li></ul> |
+| `token_endpoint_auth_method` | Authentication method used at the identity provider's token endpoint. Set to `private_key_jwt` to use a signed JWT assertion for enhanced security, or `client_secret_post` to send credentials in the request body. Defaults to `token_endpoint`. Applicable to `oidc` and `okta` strategies only. |
+| `token_endpoint_auth_signing_alg` | Optional. Algorithm used to sign client assertions. Accepted values: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, `ES384`. Defaults to `RS256` if not set. Applicable to `oidc` and `okta` strategies only. |
+| `id_token_signed_response_algs` | Optional. List of algorithms allowed to verify ID tokens issued by the identity provider. When set, Auth0 rejects ID tokens signed with any algorithm not in this list. Accepted values: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, `ES384`. If not set, Auth0 accepts ID tokens signed with any supported algorithm. Applicable to `oidc` and `okta` strategies only. |
+| `token_endpoint_jwtca_aud_format` | Optional. Specifies the format of the `aud` (audience) claim in the JWT used for client authentication at the token endpoint. Set to `issuer` to use the OIDC issuer URL, or `token_endpoint` to use the token endpoint URL. |
 
 **Example PATCH call**
 
@@ -168,17 +157,14 @@ PATCH /api2/connections/{id}
   strategy: 'oidc',
   options: {
     type: "back_channel",
-    token_endpoint_auth_method: "private_key_jwt"
+    token_endpoint_auth_method: "private_key_jwt",
+    token_endpoint_auth_signing_alg: "RS256",
+    id_token_signed_response_algs: ["RS256", "RS384"]
   },
   …
 }
 ```
 
-
-
-
-
-
 </Tab></Tabs>
 
 ## Retrieve Signing Keys
@@ -200,7 +186,7 @@ To retrieve signing keys through the Auth0 Dashboard:
 
 <Accordion title="Management API">
 
-To view public keys through the Management API, call the Retrieve Connection Signing Keys endpoint using the ID of your connection.
+To view public keys through the Management API, call the [Get connection keys](https://auth0.com/docs/api/management/v2/connections/get-keys) endpoint using the ID of your connection.
 
 <Warning>
 

@@ -3,12 +3,6 @@ title: "Private Key JWT Client Authentication for Okta and OIDC Connections"
 'description': "Learn how to implement Private Key JWT Client Authentication for your enterprise connections. "
 ---
 
-<Warning>
-
-Private Key JWT Client Authentication for OpenID Connect (OIDC) and Okta Workforce connections is currently available in [Early Access](/docs/fr-ca/troubleshoot/product-lifecycle/product-release-stages). By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/).
-
-</Warning>
-
 Private Key <Tooltip href="/docs/fr-ca/glossary?term=json-web-token" tip="Jeton Web JSON (JWT)
 Format standard de jeton d’ID (et souvent de jeton d’accès) utilisé pour représenter en toute sécurité des demandes entre deux parties." cta="Voir le glossaire">JWT</Tooltip> Client Authentication is an alternative method of client authentication for <Tooltip href="/docs/fr-ca/glossary?term=openid" tip="OpenID
 Norme ouverte d’authentification qui permet aux applications de vérifier l’identité des utilisateurs sans avoir à collecter leurs informations de connexion." cta="Voir le glossaire">OpenID</Tooltip> Connect (OIDC) and Okta Workforce enterprise connections. While client authentication is most commonly handled by passing a shared <Tooltip href="/docs/fr-ca/glossary?term=client-secret" tip="Secret client
@@ -137,7 +131,7 @@ To create a new OIDC connection that uses Private Key JWT Client Authentication,
 | --- | --- |
 | `type` | Set this property to `back_channel`. |
 | `token_endpoint_auth_method` | Set this property to `private_key_jwt`.<br/><br/>**Notes:**<ul><li> By default, this property is set to `client_secret_post`. </li><li>Errors may occur if this property is set to a value other than `private_key_jwt` or `client_secret_post`.</li></ul> |
-| `token_endpoint_auth_signing_alg` | Set this property to `RS256`.<br/><br/>**Notes:** <ul><li>This feature does not currently support additional algorithms.</li><li>Omitting this property will default its value to `RS256`.</li></ul> |
+| `token_endpoint_auth_signing_alg` | Set this property to `RS256`, `RS512`, `PS256`, `PS384`, `ES256`, or `ES384`.<br/><br/>Omitting this property will default its value to `RS256`.|
 
 **Example POST call**
 

@@ -97,6 +97,9 @@ export const codeExample1 = `{
     "RS256",
     "RS384",
     "PS256"
+    "PS384",
+    "ES256",
+    "ES384"
   ]
 }`;
 
@@ -158,8 +161,13 @@ The OIDC middleware does not support <Tooltip tip="JSON Web Token (JWT): Standar
 2. Scroll down to **Advanced Settings**.
 3. Under the **OAuth** tab, set `RS256` as **Json Web Token(JWT) Signature Algorithm** and click **Save**.
 
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+If you have an OIDC Enterprise Connection, you can choose from [additional signing algorithms](/docs/authenticate/enterprise-connections/private-key-jwt-client-auth#configure-private-key-jwt-client-authentication) for Private Key JWT.
+</Callout>
+
 With this setting, Auth0 will issue JWTs signed with your private signing key. Your app will verify them with your public signing key.
 
+
 ## Configure applications with OAuth 2.0 Authorization Server Metadata
 
 If your application or SDK references the [OAuth RFC-8414](https://www.rfc-editor.org/rfc/rfc8414) <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=Authorization+Server">Authorization Server</Tooltip> Metadata specification, you can use the <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> alias to fetch metadata about the IdP: `/.well-known/oauth-authorization-server`. For example, the [Auth0 Model Context Protocol Server](/docs/get-started/auth0-mcp-server) recommends all OAuth applications reference the OAuth Authorization Server Metadata specification.

@@ -97,7 +97,7 @@ curl --location --request POST 'https://{domain}/api/v2/clients' \
        { 
           "name": "{credentialName}", 
           "credential_type": "public_key", 
-          "pem": "{credentialublicKey}",
+          "pem": "{credentialPublicKey}",
           "alg": "{algorithm}",
           "expires_at": "{expiresAt}"
        }
@@ -111,10 +111,6 @@ curl --location --request POST 'https://{domain}/api/v2/clients' \
 ```
 
 
-
-
-
-
 | Parameter | Description |
 | --- | --- |
 | `algorithm` | Algorithm used to sign assertions. Supported values are RS256, RS384 and PS256. If not specified, the algorithm will default to RS256. |
@@ -180,11 +176,6 @@ curl --location --request POST 'https://{domain}/api/v2/clients/{clientId}/crede
 }'
 ```
 
-
-
-
-
-
 | Parameter | Description |
 | --- | --- |
 | `algorithm` | Algorithm used to sign assertions. Supported values are RS256, RS384 and PS256. If not specified, the algorithm default is RS256. |
@@ -200,7 +191,7 @@ curl --location --request POST 'https://{domain}/api/v2/clients/{clientId}/crede
 The PEM public key should be JSON-escaped before being passed to Auth0. In this example, the content we need to pass is:
 
 ```pem lines
-----BEGIN PUBLIC KEY-----
+-----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA53VzmIVVZZWyNm266l82
 mnoDc9g/snXklax5kChEhqK/WnTUvuXP4Gd4THj8rchxgUGKXd4PF3SUcKyn/qPm
 Tet0idVHk2PwP//FOVgYo5Lb04js0pgZkbyB/WjuMp1w+yMuSn0NYAP7Q9U7DfTb
@@ -280,11 +271,6 @@ curl --location --request PATCH 'https://{domain}/api/v2/clients/{clientId} \
    }'
 ```
 
-
-
-
-
-
 | Parameter | Description |
 | --- | --- |
 | `clientId` | ID of the updated application. |
@@ -305,10 +291,6 @@ curl --location --request PATCH 'https://{domain}/api/v2/clients/{clientId}/cred
 ```
 
 
-
-
-
-
 | Parameter | Description |
 | --- | --- |
 | `managementApiAccessToken` | Access tokens for the Management API with the scopes ` update:credentials`. |

@@ -15,6 +15,10 @@ The most secure practice, and our recommendation, is to use RS256 because:
 * With RS256, you are sure that only the holder of the private key (Auth0) can sign tokens, while anyone can check if the token is valid using the public key.
 * With RS256, if the private key is compromised, you can implement key rotation without having to re-deploy your application or API with the new secret (which you would have to do if using HS256).
 
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+If you are configuring Private Key JWT Authentication with an Okta or OpenID Connection (OIDC) enterprise connection, you may have to choose [additional signing algorithms](/docs/authenticate/enterprise-connections/private-key-jwt-client-auth#configure-private-key-jwt-client-authentication).
+</Callout>
+
 For troubleshooting help, review [Troubleshooting Invalid Token Errors](/docs/troubleshoot/basic-issues/invalid-token-errors).
 
 ## Learn more

@@ -164,3 +164,8 @@ Claims within the assertion have the following limits:
 * `sub`: 64 characters
 * `jti`: 64 characters
 * `alg`: 16 characters
+
+## Learn more
+
+* [Configure Private Key JWT Authentication](/docs/get-started/applications/configure-private-key-jwt)
+* [Private Key JWT Client Authentication for Okta and OIDC Connections](/docs/authenticate/enterprise-connections/private-key-jwt-client-auth)
@@ -3,11 +3,6 @@ title: "Private Key JWT Client Authentication for Okta and OIDC Connections"
 'description': "Learn how to implement Private Key JWT Client Authentication for your enterprise connections. "
 ---
 
-<Warning>
-
-Private Key JWT Client Authentication for OpenID Connect (OIDC) and Okta Workforce connections is currently available in [Early Access](/docs/ja-jp/troubleshoot/product-lifecycle/product-release-stages). By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/).
-
-</Warning>
 
 Private Key <Tooltip data-tooltip-id="react-containers-DefinitionTooltip-3" href="/docs/ja-jp/glossary?term=json-web-token" tip="JSON Web Token（JWT）: 二者間のクレームを安全に表現するために使用される標準IDトークン形式（および多くの場合、アクセストークン形式）。" cta="用語集の表示">JWT</Tooltip> Client Authentication is an alternative method of client authentication for <Tooltip data-tooltip-id="react-containers-DefinitionTooltip-0" href="/docs/ja-jp/glossary?term=openid" tip="OpenID: アプリケーションがログイン情報を収集および保存することなくにユーザーのIDを検証できるようにする認証用のオープン標準。" cta="用語集の表示">OpenID</Tooltip> Connect (OIDC) and Okta Workforce enterprise connections. While client authentication is most commonly handled by passing a shared <Tooltip data-tooltip-id="react-containers-DefinitionTooltip-2" href="/docs/ja-jp/glossary?term=client-secret" tip="クライアントシークレット: クライアント（アプリケーション）が認可サーバーで認証するために使用するシークレット。これはクライアントと認可サーバーだけが知っているものであり、推測できないように十分にランダムである必要があります。" cta="用語集の表示">client secret</Tooltip>, Private Key JWT Client Authentication instead passes a signed JWT for improved application security.
 
@@ -128,7 +123,7 @@ To create a new OIDC connection that uses Private Key JWT Client Authentication,
 | --- | --- |
 | `type` | Set this property to `back_channel`. |
 | `token_endpoint_auth_method` | Set this property to `private_key_jwt`.<br/><br/>**Notes:**<ul><li> By default, this property is set to `client_secret_post`. </li><li>Errors may occur if this property is set to a value other than `private_key_jwt` or `client_secret_post`.</li></ul> |
-| `token_endpoint_auth_signing_alg` | Set this property to `RS256`.<br/><br/>**Notes:** <ul><li>This feature does not currently support additional algorithms.</li><li>Omitting this property will default its value to `RS256`.</li></ul> |
+| `token_endpoint_auth_signing_alg` | Set this property to `RS256`, `RS512`, `PS256`, `PS384`, `ES256`, or `ES384`.<br/><br/>Omitting this property will default its value to `RS256`.|
 
 **Example POST call**