Create and sign the JWT

Note: Okta SDKs support creating and signing the JWT and requesting an access token. If you are using an Okta SDK, you can skip this section and the Get an access token section.

Create and sign the JWT with your private key for use as a JWT assertion in the request for a scoped access token. You can create this client_credentials JWT in several ways.

For testing purposes, use this tool to generate and sign a JWT. This tool supports both JWT and PEM formats. For a production use case, see Build a JWT with a private key for both a Java and a JavaScript example of signing the JWT.

Note: After the service app has Okta-scoped grants, only an admin with Super Admin role permissions can rotate the keys.

You can use the following JWT claims in the request for a scoped access token:

  • aud — The full URL of the resource that you're using the JWT to authenticate to
  • exp — The expiration time of the token in seconds since January 1, 1970 UTC (current UNIX timestamp). This value must be a maximum of only an hour in the future.
  • jti — (Optional) A unique identifier of the token. This value is used to prevent the JWT from being replayed. The claim is a case-sensitive string.
  • iat — (Optional) The issuing time of the token in seconds since January 1, 1970 UTC (current UNIX timestamp)
  • iss — The issuer of the token. This value must be the same as the client_id.
  • sub — The subject of the token. This value must be the same as the client_id.
  1. For this example, include the following parameters in the payload of the JWT:

    • audhttps://{yourOktaDomain}.com/oauth2/v1/token
    • issclient_id
    • subclient_id

    Payload example

    {
    "aud": "https://{yourOktaDomain}/oauth2/v1/token",
    "iss": "0oar95zt9zIpYuz6A0h7",
    "sub": "0oar95zt9zIpYuz6A0h7"
    }
  1. In the Signing Key box, paste the public and private key that you generated in the Create a public/private key pair step.

  2. For the key format, use either the default of JWT or switch to PEM, and then click Generate JWT.

  3. The signed JWT appears. Copy the JWT for use in the Get an access token step.