---
title: Enabling JWT authorization
description: PingFederate clients can gain access to the administrative API endpoint by providing a JSON Web Token (JWT). The <pf_install>/pingfederate/bin/jwt.properties file contains settings that allow you to configure information required to interact with one or more authorization servers as a client.
component: pingfederate
version: 13.1
page_id: pingfederate:developers_reference_guide:pf_enabling_jwt_authorization
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/developers_reference_guide/pf_enabling_jwt_authorization.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: February 26, 2026
section_ids:
  steps: Steps
---

# Enabling JWT authorization

PingFederate clients can gain access to the administrative API endpoint by providing a JSON Web Token (JWT) *(tooltip: \<div class="paragraph">
\<p>An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \<a href="https\://datatracker.ietf.org/doc/html/rfc7519">RFC 7519\</a>.\</p>
\</div>)*. The `<pf_install>/pingfederate/bin/jwt.properties` file contains settings that allow you to configure information required to interact with one or more authorization servers as a client.

|   |                                                                                                                                                                       |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | `JWT` Admin API authorization currently doesn't support encrypted JWTs. The [OAuth2](pf_enable_oauth20_authoriz.html) authorization method can accept encrypted JWTs. |

## Steps

1. In the `<pf_install>/pingfederate/bin/run.properties` file, set the value of the `pf.admin.api.authentication` property to `JWT`.

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can configure PingFederate to support both `JWT` authorization and a basic authentication method by specifying two values separated with a comma. For example, specify `pf.admin.api.authentication=JWT,LDAP`. The basic authentication methods are `native`, `LDAP`, `JWT`, and `RADIUS`. Supporting two authentication methods is helpful when you want to change applications from one method to another. You can find more information about supporting two authentication methods in the description of `pf.admin.api.authentication` in [Configuring PingFederate properties](../administrators_reference_guide/pf_config_pf_propert.html). |

2. In the `<pf_install>/pingfederate/bin/jwt.properties` file, change the property values as needed. You can find instructions and additional information in the comments in the file.

   |   |                                                                                                                                                                                                                                                                                                                          |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | Assign at least one of the PingFederate administrative roles, as indicated in the properties file. You can find more information about permissions attached to the PingFederate roles in the PingFederate User Access Control table in [Configure access to the administrative API](pf_config_access_to_admin_api.html). |

3. Restart PingFederate.

   |   |                                                                                                                             |
   | - | --------------------------------------------------------------------------------------------------------------------------- |
   |   | In a clustered PingFederate environment, you only need to modify `run.properties` and `jwt.properties` on the console node. |