Home

Documentation

Documentation

Step 3: JWT Bearer Grant

Present the ID-JAG to the Authorization Server to obtain an access token for the Resource Server.

What is JWT Bearer Grant?

The JWT Bearer Grant (RFC 7523) allows your application to present a signed JWT assertion (the ID-JAG) to obtain an access token. The Authorization Server validates the assertion and issues an access token that can be used to access protected resources.

Resource client credentials

When you register a client at Client Registration with a resource connection, a corresponding resource client (e.g., client_xxx-at-todo0) is auto-provisioned at the Authorization Server. Save the resource client credentials from the confirmation modal. They are required for this step.

Request parameters

ParameterRequiredValue
grant_typeYesurn:ietf:params:oauth:grant-type:jwt-bearer
assertionYesThe ID-JAG from Step 2
scopeOptionalRequested scopes (must be subset of ID-JAG scopes)

Implementation

client_secret_post authentication

Developer-registered clients use client_secret_post: credentials go in the POST body, not in an Authorization: Basic header. Use the resource client credentials (resource_client_id / resource_client_secret) from your registration, not the IDP client credentials from Steps 1 and 2.

Response

A successful response:

JSON
FieldDescription
access_tokenThe access token for the Resource Server
token_typeAlways Bearer
expires_inToken lifetime in seconds (typically 2 hours)
scopeGranted scopes
Access Token Claims

The access token contains:

  • iss - Issuer (the Authorization Server)
  • sub - Subject: {providerName}:{userSub}, e.g. customer1:alice@example.com. See Token Structure
  • aud - Audience (the Resource Server URL, with trailing slash)
  • client_id - Your resource client ID
  • scope - Granted permissions (intersection of requested and ID-JAG scopes)
  • exp - Expiration time
  • iat - Issued at time
  • jti - Unique token identifier

Decoded access token example

JSON

Error handling

ErrorCauseFix
invalid_grantID-JAG is expired, invalid, or signature verification failedGet a fresh ID-JAG from Step 2; ID-JAGs expire in 5 minutes
invalid_clientClient authentication failed (wrong credentials)Use your resource client credentials (resource_client_id / resource_client_secret), not the IDP client credentials
unauthorized_clientResource client not registered at Authorization ServerRegister via Client Registration with a resource connection
invalid_scopeRequested scope exceeds what's allowedRequest only scopes that were authorized in the ID-JAG

Security considerations

  1. ID-JAG Expiry: ID-JAGs are short-lived (5 minutes). Request access tokens promptly.
  2. Scope Limitation: The issued scope is the intersection of what you request here and what the ID-JAG authorized in Step 2.
  3. Client Binding: The access token is bound to your resource client ID (client_xxx-at-todo0).
  4. sub format: The sub claim in the access token is {providerName}:{userEmail}, not the raw email. Account for this in your resource server's user identification logic.

Next step

Now that you have an access token, proceed to Step 4: Call the Resource to access protected resources.

XAA
xaa.dev

Social

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein.

Presented byOkta Developer

Copyright © 2026 Okta. All rights reserved.