I’d like to get a signed JWT with RS256 for testing the implementation in my API.
This was easy with HS256, as I can simply write JSON myself and sign it using the shared key. But with RS256, the private key remains within Auth0 (for good reasons), and I can’t seem to get a signed token through the management panel.
Any ideas?
Yes, although the process may vary slightly depending on the requirements of the API.
If the API accepts client credentials access tokens (no end-user involved) then the easiest route would be to have a non-interactive client application authorized for that API and then either:
On the other hand, if the API requires the access token to be associated to an end-user. For example, the API not only check the access token scopes, but also ensures the sub claim is associated to what the API would classify as an existing user then you may need to have a test-user created (ideally you would have a separate tenant/domain for testing so all the users there would end-up being test users) and then perform a resource owner password credentials grant as a quick (and easily automated) way to obtain an end-user based access token for testing.
Hi @jmangelo,
the latter is the case — in my case. 
Thanks a bunch for the explanation, I think that’ll do.
Hi @jmangelo,
the latter is the case — in my case. Thanks a bunch for the explanation, I think that’ll do.