--- title: PRIVATE_KEY_JWT Flow description: The PRIVATE_KEY_JWT token endpoint authentication method is the most secure client authentication method, using asymmetric cryptography (public/private key pairs). Unlike CLIENT_SECRET_JWT which uses a shared secret, PRIVATE_KEY_JWT eliminates shared secrets entirely. component: pingone-api page_id: pingone-api:workflow-library:platform-sso-and-authorization/openid-connect-oidc/client-authentication-methods/test-the-workflow/private-key-jwt canonical_url: https://developer.pingidentity.com/pingone-api/workflow-library/platform-sso-and-authorization/openid-connect-oidc/client-authentication-methods/test-the-workflow/private-key-jwt.html section_ids: how-it-works: How it works jwt-structure: JWT structure setup-requirements: Setup requirements difference-from-client_secret_jwt: Difference from CLIENT_SECRET_JWT when-to-use: When to use implementation-steps: Implementation steps --- # PRIVATE\_KEY\_JWT Flow The `PRIVATE_KEY_JWT` token endpoint authentication method is the most secure client authentication method, using asymmetric cryptography (public/private key pairs). Unlike CLIENT\_SECRET\_JWT which uses a shared secret, `PRIVATE_KEY_JWT` eliminates shared secrets entirely. ## How it works 1. Key Pair Generation: Client generates an RSA or EC key pair. 2. Public Key Registration: Public key is registered with PingOne (using JWKS URL or direct upload). 3. JWT Signing: Client signs JWT with its private key (RS256, RS384, RS512, ES256, ES384, ES512). 4. Verification: PingOne verifies JWT signature using the registered public key. ## JWT structure The following example shows the JSON structure of the JWT. ```json Header: {"typ": "JWT", "alg": "RS256", "kid": "key-id"} Payload: { "iss": "", "sub": "", "aud": "", "exp": , "jti": "" (optional) } Signature: RSA-SHA256(header.payload, private_key) ``` ## Setup requirements Before using PRIVATE\_KEY\_JWT, you must: * Generate a key pair (RSA 2048+ or EC P-256/P-384/P-521). * Upload the public key to PingOne: * Option A: POST `/environments/{{envID}}/applications/{{appID}}/keys` with PEM certificate. * Option B: Configure JWKS URL in application settings. ## Difference from `CLIENT_SECRET_JWT` | Aspect | `CLIENT_SECRET_JWT` | `PRIVATE_KEY_JWT` | | ----------------- | ------------------------- | -------------------------- | | Algorithm | HS256 (symmetric) | RS256/ES256 (asymmetric) | | Secret Type | Shared secret | Private key (never shared) | | Verification | Same secret on both sides | Public key on server | | Security | High | Very High | | Compromise Impact | Full compromise | Only signing capability | ## When to use * Enterprise applications with PKI infrastructure. * Banking/Financial systems requiring the highest security. * Government/Healthcare with strict compliance requirements. * Zero-trust architectures eliminating shared secrets. * Applications with certificate management capabilities. ## Implementation steps * Generate a key pair. * Register the public key with PingOne. * Sign the JWT with the private key in your application. * Send the JWT as `client_assertion` in the token request. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This collection does not include a working `PRIVATE_KEY_JWT` example as it requires external key generation and certificate management. Refer to [Create a Private Key JWT](../../../../../auth/auth-config-options/create-a-private-key-jwt.html) for implementation guidance. |