Skip to main content

Authentication Methods

Client Secret Basic#

When using client_secret_basic on token or introspection endpoints, provide anAuthorization header with a Basic auth value in the following form:

Authorization: "Basic " + base64( formUrlEncode(client_id) + ":" + formUrlEncode(client_secret) )

Given the client_id [email protected] and client_secret veryweaksecret!, this would result in the following Authorization header: Basic NzgzNjY0MDE1NzE5MjA1MjIlNDBhbWNlOnZlcnl3ZWFrc2VjcmV0JTIx

JWT with Private Key#

When using private_key_jwt for token or introspection endpoints, provide a JWT as assertion generated with the following structure and signed with a downloaded key:


Key JSON

KeyExampleDescription
type"application"The type of account, right now only application is valid
keyId"81693565968962154"This is unique ID of the key
key"-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----"The private key generated by ZITADEL, this can not be regenerated!
clientId[email protected]The client_id of the application, this is the same as the subject from tokens
appId78366403256846242The id of the application (just for completeness, not used for JWT)
{    "type": "application",    "keyId": "81693565968962154",    "key": "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----",    "clientId": "[email protected]",    "appId": "78366403256846242"}

JWT

ClaimExampleDescription
aud"https://issuer.zitadel.ch"String or Array of intended audiences MUST include ZITADEL's issuing domain
exp1605183582Unix timestamp of the expiry
iat1605179982Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h
iss"[email protected]"String which represents the requesting party (owner of the key), normally the clientID from the json key file
sub"[email protected]"The subject ID of the application, normally the clientID from the json key file
{    "iss": "[email protected]",    "sub": "[email protected]",    "aud": "https://issuer.zitadel.ch",    "exp": 1605183582,    "iat": 1605179982}

To identify your key, it is necessary that you provide a JWT with a kid header claim representing your keyId from the Key JSON:

{    "alg": "RS256",    "kid": "81693565968962154"}