Private Key JWT

Private Key JWT is a method of client authentication where the client creates and signs a JWT using its own private key. This method is described in a combination of RFC 7521 (Assertion Framework) and RFC 7523 (JWT Profile for Client Authentication, and referenced by OpenID Connect and FAPI 2.0 Security Profile.

In OAuth, Private Key JWT can be used as a form of client authentication. Even though this is sometimes referred to a private_key_jwt, the JWT itself is actually sent in a parameter called client_assertion. Other forms of client authentication in OAuth include:

• Mutual TLS (RFC 8705)
• Client Secret (RFC 6749)

More resources

• Build a JWT for Client Authentication (developer.okta.com)
• OpenID Connect docs on Login.gov
• Private Key JWT Client Authentication (cloudentity.com)
• Client Authentication using private_key_jwt (authlete.com)