Private Key JWT is a method of client authentication where the client creates and signs a JWT using its own private key. This method is described in a combination of RFC 7521 (Assertion Framework) and RFC 7523 (JWT Profile for Client Authentication, and referenced by OpenID Connect and FAPI 2.0 Security Profile.
In OAuth, Private Key JWT can be used as a form of client authentication. Even though this is sometimes referred to a private_key_jwt
, the JWT itself is actually sent in a parameter called client_assertion
. Other forms of client authentication in OAuth include:
More resources