--- title: PrivateKeyJwtClientAuthenticationFilter description: Supports client authentication with the private_key_jwt client-assertion, using an unencrypted JWT. component: pinggateway version: 2026 page_id: pinggateway:reference:PrivateKeyJwtClientAuthenticationFilter canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/PrivateKeyJwtClientAuthenticationFilter.html revdate: 2026-02-11T12:00:00Z section_ids: PrivateKeyJwtClientAuthenticationFilter-usage: Usage PrivateKeyJwtClientAuthenticationFilter-conf: Configuration --- # PrivateKeyJwtClientAuthenticationFilter Supports client authentication with the `private_key_jwt` client-assertion, using an unencrypted JWT. Clients send a signed JWT to the Authorization Server. PingGateway builds and signs the JWT, and prepares the request as in the following example: ```http POST /token HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=...& client_id=& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer& client_assertion=PHNhbWxwOl ... ZT ``` Use this filter with an endpoint handler that requires authentication with the `private_key_jwt` client-assertion, using an unencrypted JWT. For example, the `endpointHandler` handler in the [OAuth2TokenExchangeFilter](OAuth2TokenExchangeFilter.html). ## Usage ```json { "name": string, "type": "PrivateKeyJwtClientAuthenticationFilter", "config": { "clientId": configuration expression, "tokenEndpoint": configuration expression, "secretsProvider": SecretsProvider reference, "signingSecretId": configuration expression, "signingAlgorithm": configuration expression, "jwtExpirationTimeout": configuration expression, "claims": map or configuration expression } } ``` ## Configuration * `"clientId"`: *configuration expression<[string](preface.html#definition-string)>, required* The `client_id` obtained when registering with the Authorization Server. * `"tokenEndpoint"`: *configuration expression<[url](preface.html#definition-url)>, required* The URL to the Authorization Server's OAuth 2.0 token endpoint. * `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required* The [SecretsProvider](SecretsProvider.html) to query for passwords and cryptographic keys. * `"signingSecretId"`: *configuration expression<[string](preface.html#definition-string)>, required* Reference to the keys used to sign the JWT. This secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types). * `"signingAlgorithm"`: *configuration expression<[string](preface.html#definition-string)>, optional* The JSON Web Algorithm (JWA) used to sign the JWT, such as: * `RS256`: RSA using SHA-256 * `ES256`: ECDSA with SHA-256 and NIST standard P-256 elliptic curve * `ES384`: ECDSA with SHA-384 and NIST standard P-384 elliptic curve * `ES512`: ECDSA with SHA-512 and NIST standard P-521 elliptic curve Default: `RS256` * `"jwtExpirationTimeout"`: *configuration expression<[duration](preface.html#definition-duration)>, optional* The duration for which the JWT is valid. Default: 1 minute * `"claims"`: *[map](preface.html#definition-map) or configuration expression\, optional* A map of one or more data pairs with the format `Map`, where: * The key is the name of a claim used in authentication * The value is the value of the claim, or a configuration expression that evaluates to the value The following formats are allowed: ```json { "args": { "string": "configuration expression", ... } } ``` ```json { "args": "configuration expression" } ``` Default: Empty