---
title: EncryptedPrivateKeyJwtClientAuthenticationFilter
description: Supports client authentication with the private_key_jwt client-assertion, using a signed and encrypted JWT.
component: pinggateway
version: 2026
page_id: pinggateway:reference:EncryptedPrivateKeyJwtClientAuthenticationFilter
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/EncryptedPrivateKeyJwtClientAuthenticationFilter.html
revdate: 2024-07-10T14:05:34Z
section_ids:
  EncryptedPrivateKeyJwtClientAuthenticationFilter-usage: Usage
  EncryptedPrivateKeyJwtClientAuthenticationFilter-conf: Configuration
---

# EncryptedPrivateKeyJwtClientAuthenticationFilter

Supports client authentication with the `private_key_jwt` client-assertion, using a signed and encrypted JWT.

Clients send a signed and encrypted JWT to the Authorization Server. PingGateway builds, signs and encrypts the JWT, and prepares the request as in the following example:

```http
POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=...&
client_id=<clientregistration_id>&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=PHNhbWxwOl ... ZT
```

Use this filter with an endpoint `Handler` that requires authentication with the `private_key_jwt` client-assertion, using an encrypted JWT. For example, the `endpointHandler` handler in the [OAuth2TokenExchangeFilter](OAuth2TokenExchangeFilter.html).

## Usage

```json
{
  "name": string,
  "type": "EncryptedPrivateKeyJwtClientAuthenticationFilter",
  "config": {
    "encryptionAlgorithm": configuration expression<enumeration>,
    "encryptionMethod": configuration expression<string>,
    "encryptionSecretId": configuration expression<secret-id>,
    "clientId": configuration expression<string>,
    "tokenEndpoint": configuration expression<url>,
    "secretsProvider": SecretsProvider reference,
    "signingSecretId": configuration expression<string>,
    "signingAlgorithm": configuration expression<string>,
    "jwtExpirationTimeout": configuration expression<duration>,
    "claims": map or configuration expression<map>
  }
}
```

## Configuration

* `"encryptionAlgorithm"`: *configuration expression<[string](preface.html#definition-string)>, required*

  The algorithm name used for encryption and decryption. Use algorithm names from [Java Security Standard Algorithm Names](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#algorithmparameters-algorithms).

* `"encryptionMethod"`: *configuration expression<[string](preface.html#definition-string)>, optional*

  The algorithm method to use for encryption. Use algorithms from [RFC 7518, section-5.1](https://www.rfc-editor.org/rfc/rfc7518#section-5.1).

* `"encryptionSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required*

  The secret-id of the keys used to encrypt the JWT.

  This secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types).

- `"clientId"`: *configuration expression<[string](preface.html#definition-string)>, required*

  The `client_id` obtained when registering with the Authorization Server.

- `"tokenEndpoint"`: *configuration expression<[url](preface.html#definition-url)>, required*

  The URL to the Authorization Server's OAuth 2.0 token endpoint.

- `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required*

  The [SecretsProvider](SecretsProvider.html) to query for passwords and cryptographic keys.

- `"signingSecretId"`: *configuration expression<[string](preface.html#definition-string)>, required*

  Reference to the keys used to sign the JWT.

  This secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types).

- `"signingAlgorithm"`: *configuration expression<[string](preface.html#definition-string)>, optional*

  The JSON Web Algorithm (JWA) used to sign the JWT, such as:

  * `RS256`: RSA using SHA-256

  * `ES256`: ECDSA with SHA-256 and NIST standard P-256 elliptic curve

  * `ES384`: ECDSA with SHA-384 and NIST standard P-384 elliptic curve

  * `ES512`: ECDSA with SHA-512 and NIST standard P-521 elliptic curve

  Default: `RS256`

- `"jwtExpirationTimeout"`: *configuration expression<[duration](preface.html#definition-duration)>, optional*

  The duration for which the JWT is valid.

  Default: 1 minute

- `"claims"`: *[map](preface.html#definition-map) or configuration expression\<map>, optional*

  A map of one or more data pairs with the format `Map<String, Object>`, where:

  * The key is the name of a claim used in authentication

  * The value is the value of the claim, or a configuration expression that evaluates to the value

  The following formats are allowed:

  ```json
  {
    "args": {
      "string": "configuration expression<string>",
      ...
    }
  }
  ```

  ```json
  {
    "args": "configuration expression<map>"
  }
  ```

  Default: Empty