Skip to main content

Authentication Methods in ZITADEL

Client Secret Basic

When using client_secret_basic on token or introspection endpoints, provide anAuthorization header with a Basic auth value in the following form:

Authorization: "Basic " + base64( formUrlEncode(client_id) + ":" + formUrlEncode(client_secret) )

Given the client_id 78366401571920522@amce and client_secret veryweaksecret!, this would result in the following Authorization header: Basic NzgzNjY0MDE1NzE5MjA1MjIlNDBhbWNlOnZlcnl3ZWFrc2VjcmV0JTIx

JWT with Private Key

When using private_key_jwt (urn:ietf:params:oauth:client-assertion-type:jwt-bearer) for token or introspection endpoints, provide a JWT as assertion generated with the following structure and signed with a downloaded key:


type"application"The type of account, right now only application is valid
keyId"81693565968962154"This is unique ID of the key
key"-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----"The private key generated by ZITADEL, this can not be regenerated!
clientId78366401571920522@acmeThe client_id of the application, this is the same as the subject from tokens
appId78366403256846242The id of the application (just for completeness, not used for JWT)
"type": "application",
"keyId": "81693565968962154",
"key": "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----",
"clientId": "78366401571920522@acme",
"appId": "78366403256846242"


aud"https://$CUSTOM-DOMAIN"String or Array of intended audiences MUST include ZITADEL's issuing domain
exp1605183582Unix timestamp of the expiry
iat1605179982Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h
iss"78366401571920522@acme"String which represents the requesting party (owner of the key), normally the clientID from the json key file
sub"78366401571920522@acme"The subject ID of the application, normally the clientID from the json key file
"iss": "78366401571920522@acme",
"sub": "78366401571920522@acme",
"aud": "https://$CUSTOM-DOMAIN",
"exp": 1605183582,
"iat": 1605179982

To identify your key, it is necessary that you provide a JWT with a kid header claim representing your keyId from the Key JSON:

"alg": "RS256",
"kid": "81693565968962154"