Signature validation on Request JWT in OAuth2.0 /authorize operation


In, it indicates that the Request JWT must be signed using the app’s client secret. Does that mean Okta only supports the client_secret_jwt mechanism for client authentication (, and not the private_key_jwt mechanism? If private_key_jwt is not currently supported, what is the process to request that function be added to Okta?


signing the request vs client authentication for the token endpoint is a little different.

If you are asking about an OpenID connect signed request

"request_object_signing_alg_values_supported": Array[3][

signed with the client secret:

If you are asking about what the token endpoint auth methods we support, it is:

"token_endpoint_auth_methods_supported": Array[4][

Okta already has a case logged internally to add private_key_jwt, if you want to track it or add your business case to it, you can send us an email at