PRIVATE_KEY_JWT Flow

The PRIVATE_KEY_JWT token endpoint authentication method is the most secure client authentication method, using asymmetric cryptography (public/private key pairs). Unlike CLIENT_SECRET_JWT which uses a shared secret, PRIVATE_KEY_JWT eliminates shared secrets entirely.

How it works

Key Pair Generation: Client generates an RSA or EC key pair.
Public Key Registration: Public key is registered with PingOne (using JWKS URL or direct upload).
JWT Signing: Client signs JWT with its private key (RS256, RS384, RS512, ES256, ES384, ES512).
Verification: PingOne verifies JWT signature using the registered public key.

JWT structure

The following example shows the JSON structure of the JWT.

Header: {"typ": "JWT", "alg": "RS256", "kid": "key-id"}
Payload: {
"iss": "<client_id>",
"sub": "<client_id>",
"aud": "<token_endpoint_url>",
"exp": <expiration_timestamp>,
"jti": "<unique_identifier>" (optional)
}
Signature: RSA-SHA256(header.payload, private_key)

Setup requirements

Before using PRIVATE_KEY_JWT, you must:

Generate a key pair (RSA 2048+ or EC P-256/P-384/P-521).
Upload the public key to PingOne:
- Option A: POST /environments/{{envID}}/applications/{{appID}}/keys with PEM certificate.
- Option B: Configure JWKS URL in application settings.

Difference from `CLIENT_SECRET_JWT`

Aspect CLIENT_SECRET_JWT PRIVATE_KEY_JWT

Aspect	`CLIENT_SECRET_JWT`	`PRIVATE_KEY_JWT`
Algorithm	HS256 (symmetric)	RS256/ES256 (asymmetric)
Secret Type	Shared secret	Private key (never shared)
Verification	Same secret on both sides	Public key on server
Security	High	Very High
Compromise Impact	Full compromise	Only signing capability

Algorithm

HS256 (symmetric)

RS256/ES256 (asymmetric)

Secret Type

Shared secret

Private key (never shared)

Verification

Same secret on both sides

Public key on server

Security

High

Very High

Compromise Impact

Full compromise

Only signing capability

When to use

Enterprise applications with PKI infrastructure.
Banking/Financial systems requiring the highest security.
Government/Healthcare with strict compliance requirements.
Zero-trust architectures eliminating shared secrets.
Applications with certificate management capabilities.

Implementation steps

Generate a key pair.
Register the public key with PingOne.
Sign the JWT with the private key in your application.
Send the JWT as client_assertion in the token request.

This collection does not include a working PRIVATE_KEY_JWT example as it requires external key generation and certificate management. Refer to Create a Private Key JWT for implementation guidance.

PingOne Platform APIs