> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-fix-docs-5525.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure JWT-secured Authorization Requests (JAR) for an application.

# Configure JWT-secured Authorization Requests (JAR)

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [displayText, setDisplayText] = useState(children);
  const [copyText, setCopyText] = useState(children);
  const wrapperRef = React.useRef(null);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      if (!window.autorun || !window.rootStore) {
        return;
      }
      unsubscribe = window.autorun(() => {
        let processedChildrenForDisplay = children;
        let processedChildrenForCopy = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
          let displayValue = value;
          if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
            displayValue = value.substring(0, 3) + "*****MASKED*****";
          }
          processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
          processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
        }
        setDisplayText(processedChildrenForDisplay);
        setCopyText(processedChildrenForCopy);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  useEffect(() => {
    if (!wrapperRef.current) return;
    const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
    let isOverriding = false;
    const handleClick = e => {
      const button = e.target.closest('[data-testid="copy-code-button"]');
      if (!button || !wrapperRef.current.contains(button)) return;
      isOverriding = true;
      navigator.clipboard.writeText = text => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
          return originalWriteText(copyText);
        }
        return originalWriteText(text);
      };
      setTimeout(() => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
        }
      }, 100);
    };
    const wrapper = wrapperRef.current;
    wrapper.addEventListener('click', handleClick, true);
    return () => {
      wrapper.removeEventListener('click', handleClick, true);
      if (navigator.clipboard.writeText !== originalWriteText) {
        navigator.clipboard.writeText = originalWriteText;
      }
    };
  }, [copyText]);
  return <div ref={wrapperRef}>
      <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
        {displayText}
      </CodeBlock>
    </div>;
};

export const codeExample1 = `POST https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}/credentials
  Authorization: Bearer <YOUR_ACCESS_TOKEN>
  Content-Type: application/json
  {
    "name": "My credentials for JAR",
    "credential_type": "public_key",
    "pem": "[YOUR PEM FILE CONTENT]",
    "alg": "RS256"
  }`;

export const codeExample2 = `PATCH https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}
Authorization: Bearer <YOUR_ACCESS_TOKEN>
Content-Type: application/json
{
  "signed_request_object": {
    "credentials": [{"id": "[YOUR CREDENTIAL ID]"}]
  }
}`;

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details.
</Callout>

<Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip>-Secured Authorization Requests (JAR) allow OAuth2 authorization request parameters to be packaged into a single JWT request parameter which is then signed for integrity protection.

## Prerequisites

Before configuring your application for using JAR, you must [generate an RSA key pair](/docs/secure/application-credentials/generate-rsa-key-pair).

<Warning>
  You should generate a separate key pair for each type of credential usage. For example, do not reuse the same key pairs for both JAR and Private Key JWT Authentication.
</Warning>

## Configure JAR for an application

You can configure JAR for an application with the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> and the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.

<Tabs>
  <Tab title="Auth0 Dashboard">
    Use the Auth0 Dashboard to configure your application to use JAR with previously generated RSA keys.

    1. Navigate to [Auth0 Dashboard > Applications](https://manage.auth0.com/#/applications).
    2. Select the application you want to use with JAR.
    3. Select the **Application Settings** tab.
    4. In the **Authorization Requests** section, enable **Require JWT-Secured Authorization Requests**.
    5. If no credential is assigned and there are credentials available, you will be prompted to assign an existing credential.

           <Frame>
             <img src="https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=86bbcc52edbde14a86f31b202971a00b" alt="Dashboard > Application > Settings > Assign Existing Credentials" data-og-width="792" width="792" data-og-height="688" height="688" data-path="docs/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=280&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=d5991f09f90c82aa9669c155164d8914 280w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=560&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=9d4063825fef75b170c7d2336a72423f 560w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=840&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=89c93fd49f43b2067be5fca74ba42ddc 840w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=1100&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=8ca9d3fd5e69133b988a52a2f845be7c 1100w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=1650&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=b573ff235be0b42bc85ac1bb496c3991 1650w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=2500&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=779dec85b81dae755ae495b4561e017d 2500w" />
           </Frame>
    6. You will also have the option to assign a new credential.

           <Frame>
             <img src="https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=dbaaa333cbe21af7cc4181b399c0f049" alt="Auth0 Dashboard > Applications > Settings > Assign New Credentials" data-og-width="702" width="702" data-og-height="366" height="366" data-path="docs/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=280&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=51958f05de573b0ebd3f17256d76771b 280w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=560&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=8368fe516eb54b9d3a4ceaf9f1ddc06a 560w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=840&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=9b0d7e3f4f8a685c18a78be73cfbf9f5 840w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=1100&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=4507617c182eb0a296e3e3ad2d059c5b 1100w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=1650&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=a07663136e2dba3a96d9109f763d293d 1650w, https://mintcdn.com/docs-dev-fix-docs-5525/nKZHd6OMNCEYTNul/docs/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=2500&fit=max&auto=format&n=nKZHd6OMNCEYTNul&q=85&s=08bccb92cbd19817aece43fa0c5f1b62 2500w" />
           </Frame>
    7. Add and assign a new credential by uploading a previously generated RSA key pair. When prompted, enter the following:

       * **Name**: a name to identify the credential
       * **Public Key**: public key of the X.509 certificate in PEM format
       * **Algorithm**: select the JAR signature algorithm
       * **Expiration Date**: set the expiration date of the credential
  </Tab>

  <Tab title="Management API">
    Use the [Management API](https://auth0.com/docs/api/management/v2) to configure JAR for your application using the `signed_request_object` client configuration property. This object property contains the following fields:

    * `required`: forces all authorization requests to the `/authorize` and `/oauth/par` to use JAR. To learn more, read [Authorization Code Flow with JWT-Secured Authorization Requests](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-jar).
    * `credentials`: an array of credential IDs used to verify signatures.

    <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
      The credentials parameter behaves similarly to the Private Key JWT parameter `client_authentication_methods.private_key_jwt.credentials` which supports credential creation when you create a new application. To learn more, read [Configure Private Key JWT](/docs/get-started/applications/configure-private-key-jwt).
    </Callout>

    You can configure JAR for a new application or for an existing application via the Management API.

    #### Configure JAR for a new application

    When you create a new application, configure JAR by sending a POST request with the `signed_request_object`. In that POST request, you can also register the corresponding client credential (i.e. the key PEM):

    ```json lines theme={null}
    POST https://{yourTenant}.auth0.com/api/v2/clients
    Authorization: Bearer <YOUR_ACCESS_TOKEN>
    Content-Type: application/json
    {
      "name": "My App using JAR",
      "signed_request_object": {
          "required": true,
    "credentials": [{
            "name": "My credential for JAR",
            "credential_type": "public_key",
            "pem": "[YOUR PEM FILE CONTENT]",
            "alg": "RS256"
    }]
      },
      "jwt_configuration": {
        "alg": "RS256"
      }
    }
    ```

    #### Configure JAR for an existing application

    When updating an existing application, you need to explicitly create a client credential first. The following POST request uses your PEM file content to create your client credentials for JAR:

    <AuthCodeBlock children={codeExample1} language="json" />

    <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
      Make sure newlines are properly JSON-encoded with no additional formatting.
    </Callout>

    Then, assign the client credential to the `signed_request_object` client configuration. The following PATCH request associates your client credentials with the `signed_request_object`:

    <AuthCodeBlock children={codeExample2} language="json" />
  </Tab>
</Tabs>

## Learn more

* [Authorization Code Flow with JWT-Secured Authorization Requests (JAR)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-jar)